By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,965 Members | 1,687 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,965 IT Pros & Developers. It's quick & easy.

Quick mysql_real_escape_string question.

P: n/a
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Aug 20 '08 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Ma*********@gmail.com wrote:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing hosts).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 20 '08 #2

P: n/a
Jerry Stuckle wrote:
Ma*********@gmail.com wrote:
>I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText'
where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!

You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing hosts).
I had a similar problem so I turned it off in the .htaccess file.

Open up or create a new .htaccess file and insert the following:

php_flag magic_quotes_gpc off

You can use this file as a per directory need, not necessary the entire
site if you don't want.
Aug 20 '08 #3

P: n/a
FutureShock wrote:
Jerry Stuckle wrote:
>Ma*********@gmail.com wrote:
>>I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText'
where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!

You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing
hosts).
I had a similar problem so I turned it off in the .htaccess file.

Open up or create a new .htaccess file and insert the following:

php_flag magic_quotes_gpc off

You can use this file as a per directory need, not necessary the entire
site if you don't want.
The problem is - that may or may not work, depending on your host's
settings, which is why I don't recommend it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 20 '08 #4

P: n/a
Ma*********@gmail.com writes:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Did you search the web for magic_quotes / magic_quotes_gpc /
magic_quotes_runtime?
Aug 20 '08 #5

P: n/a
On Aug 19, 7:42*pm, Mandrago...@gmail.com wrote:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

* * * * * * * * $realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
* * * * * * * * $id = intval($_POST['ID']);
* * * * * * * * $UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";

This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:

\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Ah I see - I have a home server I am testing things on (WAMP) and that
is where the problem is. I should have thought of that. Thank you for
taking the time to reply.
Aug 20 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.