PHP mysql_real_escape_string() - stripslashes() leaving multiple slashes
Best Solution
In your php.ini file, odds are that the magic_quotes_gpc
directive is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).
In your php.ini
magic_quotes_gpc Off
In an .htaccess file:
php_flag magic_quotes_gpc Off
Why is this happening?
The reason this is happening is due to the following course of logic.
- A string that needs escaping is sent to the server.
This is my string. It's awesome.
- Magic Quotes escapes the apostrophe before it gets to your code.
This is my string. It\'s awesome
mysql_real_escape_string
now has two characters to escape, the backslash\\
as well as the apostrophe\'
.This is my string. It\\\'s awesome
- This new super-escaped string is stored in the database.
- When the string is retrieved from the database, it get's passed to
stripslashes
. This removes the two escapes added in step 3, but since one of the backslashes has been escapedstripslashes
thinks it belongs.This is my string. It\'s awesome
This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.
Alternative Solution
A quick-and easy alternative would be to simply remove the slashes added by magic_quotes
before passing the string to mysql_real_escape_string
.
$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);
Confusion about mysql_real_escape_string and strip_slashes
Thank you everyone for the answers. I will award the +50 out, but I wanted to tell my real solution here, all which people did help with...
I was performing mysql_real_escape_string
on all of the data AS SOON as it posted (before any processing). So, a slash was added to escape the '
character that was submitted. This, we know is normal.
However, there was no reason that the backslash \
should show up in the DB entry, right? The escape was there to be sure the '
was entered.
Turns out, AFTER escaping, I would then save the variable to be reloaded to the page in the session, in case the user had an error that PHP found while validating all of the form fields. In this case, the user's input (formerly O'riley
was now printed to their screen as O\'riley
. Then, the user didn't catch this - so they would often just fix their error that PHP caught during validation (unrelated to the name field), and thus the O\'riley
would land in the database because mysql_real_escape_string
would escape the characters.
Lesson:
When processing a form, FIRST save data for form-refill use. SECOND validate form fields. THIRD escape the data for processing into the database.
Or better yet, use PDO and avoid this =).
Comments welcome. THANKS ALL!
mysql_real_escape_string() leaves slashes to my image tag when re submitting page
if (get_magic_quotes_gpc()){
$a= stripslashes($a);
}
if (function_exists('mysql_real_escape_string')) {
$query = mysql_real_escape_string($a);
} else {
$query = mysql_escape_string($a);
}
mysqli_real_escape_string() adds slashes on database insert
to remove slashes always use stripslashes..
$title = ucwords(strtolower(stripslashes($_POST["title"])));
$article = stripslashes($_POST["article"]);
need to call mysql_real_escape_string() twice
I decided to use a heredoc and output to a file to determine what effect, if any, my first call to mysql_real_escape_string() was having. I used the following code -- the php variable "theTextWithManyQuotes" was read from user input, it was a text string such as
"Isn't O'Malley's parents' children's "choices" atypical"
$theTextWithManyQuotes = mysql_real_escape_string($_POST['userInput']);
$html = <<<HEREDOC
<!DOCTYPE html>
<body>
<textarea readonly name="adPreviewText" id="adPreviewText" rows="4" cols="60"
style="border: none; border-style: none">$theTextWithManyQuotes</textarea>
/body>
</html>
HEREDOC;
file_put_contents("testfileonly", $html);
I then dumped the $html variable to a file by way of file_put_contents() and opened the "testfileonly" file -- and the backslashes were in fact present in the text.
My surmise is that when I build a mysql query string and it contains escaped text strings that were escaped by a single call to mysql_real_escape_string(), the database somehow 'hides' the backslashes so that they're not visible in phpMyAdmin when looking at the database record.
The fact that my heredoc's contents, when output to a file, shows that the backslashes are present, it proved to me that only a single call to mysql_real_escape_string() was required, and the mysql database is somehow not showing (or stripping?) the backslashes in the database records. When the data is read back out of the database, no call to stripslashes() is required, the backslashes are not present in the text strings when read back out from the database.
Related Topics
How to Convert Object into String in PHP
Php: How to Generate a Hmacsha256 Signature of a String
Add Class="Active" to Active Page Using PHP
Wordpress Plugin -> Call to Undefined Function Wp_Get_Current_User()
Does PHP Optimize Tail Recursion
Syntax Error, Unexpected T_Encapsed_And_Whitespace, Expecting T_String or T_Variable or T_Num_String
Python Format Datetime with "St", "Nd", "Rd", "Th" (English Ordinal Suffix) Like PHP's "S"
How to Make 5 Random Numbers with Sum of 100
New MySQLi(): How to Intercept an 'Unable to Connect' Error
Inserting Now() into Database with Codeigniter's Active Record
Removing Black Borders 4:3 on Youtube Thumbnails
How to Prevent PHP Files from Being Downloaded? and What Are Some Ways Someone Can Download Them
Can a User Alter the Value of $_Session in PHP
Should Lock_Ex on Both Read & Write Be Atomic
Is There an Equivalent in C++ of PHP's Explode() Function
Phpmysql Error - #1273 - #1273 - Unknown Collation: 'Utf8Mb4_General_Ci'