Mysql_real_escape_string and single quote

Question

Mysql_real_escape_string and single quote

I'm very sad. I want to be able to insert single quotes in my database names - for example, O'Connor.

So, when pasting into a DB, I do:

$lname = mysql_real_escape_string($_POST['lname']);

And then I insert $ lname into the DB.

When it is in the database, it looks like O \ 'Connor.

So, if I were to recall this last name in my web application, I would have to use:

  $lname = stripslashes($r["lname"]);

It all works fine. However, I have a search function that will search for names and display the results. When I search, I need to find O \ 'Connor to get any results.

You see, after searching, the text field automatically saves the value of what was simply distorted (using sessions). So my code is:

  $search = mysql_real_escape_string($_GET['search']); $_SESSION['search'] = $search;

As I said, when searching, I should use "O \ Connor", and then after searching, the value in the text box becomes "O \\\\" Connor "

It was hard to figure it out. Does anyone know what I'm doing wrong? Thanks!

EDIT:

Here is my php5.ini file regarding magic quotes:

  ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On ; Magic quotes for runtime-generated data, eg data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off

However, my site is hosted on GoDaddy, and I do not have permission to edit the file :(

+4

php mysql escaping mysql-real-escape-string

littleK Jul 29 '09 at 15:08

source share

6 answers

Magic quotes are included. This means that everything that is placed in the mail or receive or other similar locations is automatically shielded, so novice programmers do not need to worry about it. It is deprecated in the current version of PHP, if I remember correctly.

What do you want to do to handle this and run the script from any configuration:

 function fixinput($value){ if (get_magic_quotes_gpc()){ $value = stripslashes($value); } return mysql_real_escape_string($value); }

You might want to further modify this to wrap the non-numeric data in quotation marks, which is a common option, but I think these quotes are best placed manually.

+1

krdluzni Jul 29 '09 at 15:18

source share

A small edit to the fixinput function to check if your PHP installation really contains an escape line (older versions do not work):

  function fixinput($value){ if (get_magic_quotes_gpc()){ $value = stripslashes($value); } if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($value); } else { return mysql_escape_string($value); } }

+1

Phil rae Jul 29 '09 at 15:26

source share

When it is in the database, it looks like O \ 'Connor.
So, if I were to recall this last name in my web application, I would have to use:
  $lname = stripslashes($r["lname"]); 

Wrong! When you avoid strings with mysql_real_escape_string , they are simply escaped in the query. The database interprets the request, so the data gets into the database without any escape characters. When retrieving data from a database, you do not need to use stripslashes . If you think that this is so, then this means that the data in your database is distorted. Most likely because you have magic quotes.

You must:

Disable magical quotes or cancel their effect worldwide. See the manual for more details.
Use related parameters (best solution) or avoid all variables with mysql_real_escape_string . You must do this when building a query.
Do not do anything that you pull from the database.

In particular, do not create the a la the fixinput and the options listed in some answers here. This is the wrong way to solve the problem, because it will ruin any data that does not come from the http request.

0

troelskn Jul 29 '09 at 16:45

source share

I will not check if get_magic_quotes_gpc .

I just do $lname = mysql_real_escape_string(stripslashes($_POST['lname'])); therefore, if there is no quoted text, it will not cut slashes. If there is a quote, she will turn them off.

and it works wonders for me!

-1

TigerTiger Jul 29 '09 at 15:35

source share

All you have to do is execute the search query, mysql_real_escape_string, and that should be fine. The best way to do this, although not to store it with shielding, but instead just to escape from it, everything goes to the database.

Instead, do the following:

  $ _SESSION ['search'] = $ _GET ['search'];
  $ search = mysql_real_escape_string ($ _ GET ['search']);

-2

Tyler carter Jul 29 '09 at 15:09

source share

jimyi · Accepted Answer · 2009-07-29T15:12:18+0000

It seems Magic Quotes are included in your PHP configuration.

To check if it is really enabled:

 echo get_magic_quotes_gpc();

To disable , edit the php.ini file:

 ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, eg data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off

Or add this line to your .htaccess:

 php_flag magic_quotes_gpc Off

Mysql_real_escape_string and single quote

More articles: