473,498 Members | 1,592 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Quick mysql_real_escape_string question.

I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Aug 20 '08 #1
5 1812
Ma*********@gmail.com wrote:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing hosts).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 20 '08 #2
Jerry Stuckle wrote:
Ma*********@gmail.com wrote:
>I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText'
where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!

You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing hosts).
I had a similar problem so I turned it off in the .htaccess file.

Open up or create a new .htaccess file and insert the following:

php_flag magic_quotes_gpc off

You can use this file as a per directory need, not necessary the entire
site if you don't want.
Aug 20 '08 #3
FutureShock wrote:
Jerry Stuckle wrote:
>Ma*********@gmail.com wrote:
>>I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText'
where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!

You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gpc (i.e. shared host), you can use
the following:

if (get_magic_quotes_gpc())
$NewsHTML = stripslashes($_POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_escape_string($NewsHTML";

(actually, if your host won't turn it off, I would suggest changing
hosts).
I had a similar problem so I turned it off in the .htaccess file.

Open up or create a new .htaccess file and insert the following:

php_flag magic_quotes_gpc off

You can use this file as a per directory need, not necessary the entire
site if you don't want.
The problem is - that may or may not work, depending on your host's
settings, which is why I don't recommend it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Aug 20 '08 #4
Ma*********@gmail.com writes:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

$realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Did you search the web for magic_quotes / magic_quotes_gpc /
magic_quotes_runtime?
Aug 20 '08 #5
On Aug 19, 7:42*pm, Mandrago...@gmail.com wrote:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:

* * * * * * * * $realHTMLText = mysql_real_escape_string($_POST["NewsHTML"]);
* * * * * * * * $id = intval($_POST['ID']);
* * * * * * * * $UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";

This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:

\\\\\\\\\\\"Hello, this is some text.\\\\\\\\\\\"

Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?

Thanks for your time!
Ah I see - I have a home server I am testing things on (WAMP) and that
is where the problem is. I should have thought of that. Thank you for
taking the time to reply.
Aug 20 '08 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
1857
mysql_real_escape_string
by: Michael G | last post by:
If I only escape the characters that mysql_real_escape_string recognizes, is this adequate protection against SQL injection attacks? I have read a number of archived posts plus I've read some of...
PHP
2
7609
mysql_real_escape_string() vs addslashes()
by: Marcus | last post by:
Hello, My php.ini file currently has magic quotes set to On, but I have read that it is better to code with it off. Currently with magic quotes on, I only use stripslashes() to properly...
PHP
2
1256
Quick Sql Injection question.....
by: toddism | last post by:
My book says prevent it like this: $clean = array(); $mysql = array(); $clean="o'reilly"; $mysql=mysql_real_escape_string($clean); why are we using an array ( $mysql ) instead of just a
PHP
2
29520
mysql_real_escape_string() cannot connect to database..??
by: comp.lang.php | last post by:
when trying to use the mysql_real_escape_string() function, the following warning occurs: First of all, the user is not 'web' trying to connect to the database, secondly, what is...
PHP
2
2886
mysql_real_escape_string/htmlentities issue
by: matthud | last post by:
<?php //MAKE IT SAFE $chunk = $_POST; $title = $_POST; $url = $_POST; $tags = $_POST; $user = $_POST; $safe_chunk = mysql_real_escape_string(htmlentities($chunk)); $safe_title =...
PHP
5
2375
mysql_real_escape_string memory leak?
by: vivek | last post by:
Could someone please help me figure out why the memory usage fluctuates when I use mysql_real_escape_string? I'm finding (what I think are) memory leaks with a few mysql functions in php and I'm...
PHP
2
3359
mysql_real_escape_string necessary when using prepared statements
by: Pugi! | last post by:
It is by accident that I noticed that I forgot to use mysql_real_escape_string in part of my webapp. I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder 3 functions...
PHP
13
3447
addslashes/mysql_real_escape_string
by: ndlarsen | last post by:
Hello. It's been a while since I used php. Since then magic quotes has been deprecated and will be removed when php 6.0 hits. My question is, what should I be using when submitting data to a...
PHP
7
5134
mysql_real_escape_string errror: expects string, resource given.
by: roseple | last post by:
Hi, can anyone please help me why I got this error every I uploaded files. Error: Here is the code on the said warning message: # Gather all required data $name =...
PHP
0
7005
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7168
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
1
6891
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7381
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5465
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4916
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
3096
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
1
659
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
293
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us