[PHP] handling ' with mysql/php insert and select
In my form, I am parsing all the text inputs through mysql_real_escape_string() before inserting the data. however, when I look at the SQL query in PHP, when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') and when I query the in mysql/PHP it shows: select responsibility from contract where contract_id = 15; ++ | responsibility | ++ | blah\'s| ++ 1 row in set (0.00 sec) and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] handling ' with mysql/php insert and select
Adam Williams wrote: In my form, I am parsing all the text inputs through mysql_real_escape_string() before inserting the data. however, when I look at the SQL query in PHP, when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') and when I query the in mysql/PHP it shows: select responsibility from contract where contract_id = 15; ++ | responsibility | ++ | blah\'s| ++ 1 row in set (0.00 sec) and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? If you have access to php.ini turn the magic_quotes_gpc off. If not, then you have to use one of examples on http://us.php.net/manual/en/function.get-magic-quotes-gpc.php -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] handling ' with mysql/php insert and select
On 1/3/08, Adam Williams [EMAIL PROTECTED] wrote: In my form, I am parsing all the text inputs through mysql_real_escape_string() before inserting the data. however, when I look at the SQL query in PHP, when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') and when I query the in mysql/PHP it shows: select responsibility from contract where contract_id = 15; ++ | responsibility | ++ | blah\'s| ++ 1 row in set (0.00 sec) and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Andy, The magic quotes directive is likely set to on in php.ini. Set it to 0 (zero) or 'Off'. David
Re: [PHP] handling ' with mysql/php insert and select
when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') It looks like magic quotes is turned on. Take a look at http://us2.php.net/magic_quotes. and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? Using stripslashes is a nice quick fix, but for a long term solution turn off magic_quotes and then update your data to remove the extra slashes. A simple way to do that is to loop through your database records, run stripslashes and update the database. As always be sure to backup your database before doing this, just to be safe! :) HTH, Brady -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] handling ' with mysql/php insert and select
On Thu, January 3, 2008 1:22 pm, Adam Williams wrote: In my form, I am parsing all the text inputs through mysql_real_escape_string() before inserting the data. however, when I look at the SQL query in PHP, when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') and when I query the in mysql/PHP it shows: select responsibility from contract where contract_id = 15; ++ | responsibility | ++ | blah\'s| ++ 1 row in set (0.00 sec) and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? TURN OFF MAGIC QUOTES!!! Sorry for shouting. Not really, though. :-) Magic Quotes GPC in php.ini is ALREADY (trying to) escaping your data, before you filter it. This is just plain bassakwards, but was conceived back in the good ol' days when the 'net was a kinder, gentler place. But since Magic Quotes already escaped the data, and added \' for every ' that was there, *YOUR* mysql_real_escape_string was adding \\\' for the original ', because there was already a \ in there from Magic Quotes, which needs escaping, just as ' does: Stage 1: Original data: blah's Stage 2: Magic Quotes GPC tells PHP to do this as it crams stuff into $_POST blah\'s Stage 3: mysql_real_escape_string converts that to: blah\\\'s Stage 4: MySQL stores what you told it to store: blah\'s Stage 5: You select it, and you get what you put in: blah\'s Magic Quotes GPC should just be turned OFF, period. If you have any data already put into your database with both Magic Quotes and mysql_real_escape_string, then you will need to: lock the DB pull all the data out run stripslashes on all affected data call mysql_real_escape_string on affected data put affected data back in turn OFF magic quotes unlock the DB -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] handling ' with mysql/php insert and select
lots of ways to handle this use HTMLentities($string) to convert the apostrophes use addslashes($string) to escape them use mysql_real_escape_string($string) to escape them the last is my preferred method bastien Date: Thu, 3 Jan 2008 13:22:09 -0600 From: [EMAIL PROTECTED] To: php-general@lists.php.net Subject: [PHP] handling ' with mysql/php insert and select In my form, I am parsing all the text inputs through mysql_real_escape_string() before inserting the data. however, when I look at the SQL query in PHP, when I type the word blah's to my text box variable, and then insert it into mysql after being ran through mysql_real_escape_string(), it does: insert into contract (contract_id, responsibility) VALUES (15, 'blah\\\'s') and when I query the in mysql/PHP it shows: select responsibility from contract where contract_id = 15; ++ | responsibility | ++ | blah\'s | ++ 1 row in set (0.00 sec) and when I run that select statement in PHP it prints blah\'s on the screen. I want it to print back blah's without the \. So what are my options? run every variable through stripslashes(); before printing them to the screen? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/
