Quick mysql_real_escape_string question.

**Jerry Stuckle** · Aug 20 '08, 02:25 AM

Re: Quick mysql_real_esca pe_string question.

Mandragon03@gma il.com wrote:

I am using mysql_real_esca pe_string for the input of a form before it
is updated into the mysql database. Somthing like this:
>
$realHTMLText = mysql_real_esca pe_string($_POS T["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
>
>
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
>
>
\\\\\\\\\\\"Hel lo, this is some text.\\\\\\\\\\ \"
>
Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?
>
Thanks for your time!
>

You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.

If you can't disable magic_quotes_gp c (i.e. shared host), you can use
the following:

if (get_magic_quot es_gpc())
$NewsHTML = stripslashes($_ POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_esca pe_string($News HTML";

(actually, if your host won't turn it off, I would suggest changing hosts).

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**FutureShock** · Aug 20 '08, 02:45 AM

Re: Quick mysql_real_esca pe_string question.

Jerry Stuckle wrote:

Mandragon03@gma il.com wrote:

>I am using mysql_real_esca pe_string for the input of a form before it
>is updated into the mysql database. Somthing like this:
>>
> $realHTMLText = mysql_real_esca pe_string($_POS T["NewsHTML"]);
> $id = intval($_POST['ID']);
> $UpdateString = "UPDATE table SET Content = '$realHTMLText'
>where ID
>= $id";
>>
>>
>This is on a form that allows you to edit the textarea. The problem I
>am running into is that it keeps adding more slashes every time it is
>updated so the data database field looks something like this:
>>
>>
>\\\\\\\\\\\"He llo, this is some text.\\\\\\\\\\ \"
>>
>Each time i run the code it adds more slasshes. Is there a way to keep
>it from doing that while still protecting from sql injection?
>>
>Thanks for your time!
>>

>
You probably have magic_quote_gpc enabled on your server. Disable it.
It never worked correctly, and, from what I understand, it is going to
be removed in PHP 6.0.
>
If you can't disable magic_quotes_gp c (i.e. shared host), you can use
the following:
>
if (get_magic_quot es_gpc())
$NewsHTML = stripslashes($_ POST['NewsHTML']);
else
$newsHTML = $_POST['NewsHTML'];
$realHTMLText = mysql_real_esca pe_string($News HTML";
>
(actually, if your host won't turn it off, I would suggest changing hosts).
>

I had a similar problem so I turned it off in the .htaccess file.

Open up or create a new .htaccess file and insert the following:

php_flag magic_quotes_gp c off

You can use this file as a per directory need, not necessary the entire
site if you don't want.

**Jerry Stuckle** · Aug 20 '08, 02:45 AM

Re: Quick mysql_real_esca pe_string question.

FutureShock wrote:

Jerry Stuckle wrote:

>Mandragon03@gma il.com wrote:

>>I am using mysql_real_esca pe_string for the input of a form before it
>>is updated into the mysql database. Somthing like this:
>>>
>> $realHTMLText = mysql_real_esca pe_string($_POS T["NewsHTML"]);
>> $id = intval($_POST['ID']);
>> $UpdateString = "UPDATE table SET Content = '$realHTMLText'
>>where ID
>>= $id";
>>>
>>>
>>This is on a form that allows you to edit the textarea. The problem I
>>am running into is that it keeps adding more slashes every time it is
>>updated so the data database field looks something like this:
>>>
>>>
>>\\\\\\\\\\\"H ello, this is some text.\\\\\\\\\\ \"
>>>
>>Each time i run the code it adds more slasshes. Is there a way to keep
>>it from doing that while still protecting from sql injection?
>>>
>>Thanks for your time!
>>>

>>
>You probably have magic_quote_gpc enabled on your server. Disable it.
>It never worked correctly, and, from what I understand, it is going to
>be removed in PHP 6.0.
>>
>If you can't disable magic_quotes_gp c (i.e. shared host), you can use
>the following:
>>
>if (get_magic_quot es_gpc())
> $NewsHTML = stripslashes($_ POST['NewsHTML']);
>else
> $newsHTML = $_POST['NewsHTML'];
>$realHTMLTex t = mysql_real_esca pe_string($News HTML";
>>
>(actually, if your host won't turn it off, I would suggest changing
>hosts).
>>

I had a similar problem so I turned it off in the .htaccess file.
>
Open up or create a new .htaccess file and insert the following:
>
php_flag magic_quotes_gp c off
>
You can use this file as a per directory need, not necessary the entire
site if you don't want.
>

The problem is - that may or may not work, depending on your host's
settings, which is why I don't recommend it.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Chat** · Aug 20 '08, 02:45 AM

Re: Quick mysql_real_esca pe_string question.

Mandragon03@gma il.com writes:

I am using mysql_real_esca pe_string for the input of a form before it
is updated into the mysql database. Somthing like this:
>
$realHTMLText = mysql_real_esca pe_string($_POS T["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
>
>
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
>
>
\\\\\\\\\\\"Hel lo, this is some text.\\\\\\\\\\ \"
>
Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?
>
Thanks for your time!

Did you search the web for magic_quotes / magic_quotes_gp c /
magic_quotes_ru ntime?

**Mandragon03@gmail.com** · Aug 20 '08, 03:45 AM

Re: Quick mysql_real_esca pe_string question.

On Aug 19, 7:42 pm, Mandrago...@gma il.com wrote:

I am using mysql_real_esca pe_string for the input of a form before it
is updated into the mysql database. Somthing like this:
>
$realHTMLText = mysql_real_esca pe_string($_POS T["NewsHTML"]);
$id = intval($_POST['ID']);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
>
This is on a form that allows you to edit the textarea. The problem I
am running into is that it keeps adding more slashes every time it is
updated so the data database field looks something like this:
>
\\\\\\\\\\\"Hel lo, this is some text.\\\\\\\\\\ \"
>
Each time i run the code it adds more slasshes. Is there a way to keep
it from doing that while still protecting from sql injection?
>
Thanks for your time!

Ah I see - I have a home server I am testing things on (WAMP) and that
is where the problem is. I should have thought of that. Thank you for
taking the time to reply.

Quick mysql_real_escape_string question.

Quick mysql_real_escape_string question.

Comment

Comment

Comment

Comment

Comment