I want to input form data, display it for the user to edit, and then write it to the db. When I display for edit, I pass the data via hidden fields. I can't get the right combination of addslashes and stripslashes.

I need the slashes in to pass the data, but i don't want the slashes to show to the user.

Does anyone have the right combination to do this?

<?php

$quotes = get_magic_quotes_runtime();
$q2 = get_magic_quotes_gpc();

$status .='magic quotes runtime - '.$quotes.', magic quotes gpc - '.$q2.'<br>'; //0,1 - & I can't change them.

if (isset($submitProduct)) {

$status .='<b>submit for error checking section.</b><br>';

foreach ($_POST as $key => $value) {
$value = stripslashes($value);
$status .='key -> '.$key.', value -> '.$value.' <br>';
}

$status .='<FORM ACTION= ' . ($PHP_SELF) . ' METHOD=POST>
<input type=\'hidden\' name=\'descr\' value=\''.$descr.'\'>
<p>
To edit: <input type=\'submit\' name=\'displayform\' value=\'edit Product\'>
<p>To Save: <input type=\'submit\' name=\'write\' value=\'write Product\'></form>
';

} //isset submitProduct

if (isset($write)) {
$status .='<b>save data section</b><br>';

foreach ($_POST as $key => $value) {
$status .='key -> '.$key.', value -> '.$value.' <br>';
}

} // isset write

if (isset($displayform)) {
foreach ($_POST as $key => $value) {
$status .='key -> '.$key.', value -> '.$value.' <br>';
}

$descr = stripslashes($descr);
$status .= '
<FORM ACTION= ' . ($PHP_SELF) . ' METHOD=POST>
<textarea name=\'descr\' cols=\'40\' rows=\'3\' wrap=\'soft\'>'.$descr.'</textarea>
<p><input type=\'submit\' name=\'submitProduct\' value=\'Add Product\'></form>
';
} // isset displayform

$status .= '<p><a href=\'' . ($PHP_SELF) . '?displayform=1\'>display the form</a>';

// display sections

echo $status;

?>

    I'd have to run your code to get a good feel for what's going on.

    however:

    you addslashes prior to saving in the database

    you stripslashes after retrieving from the database

    You seem to be stripping them prior to displaying on the form and you don't need to do that.

    I wonder if you are also getting muddled with urlencode and urldecode?

      • [deleted]

      • Post #3

      "you addslashes prior to saving in the database

      you stripslashes after retrieving from the database"

      Not quite correct, the slashes are not stored in the database so stripslashes() is not required.

      If magic_quotes is enabled, then all data from outside PHP is automatically 'slashed'. Data from the html-form is slashes and addslashes is nolonger required before inserting data into the database, but when reading from the database the data is also slashed so you have to use stripslashes().

      When magic_quotes is disabled you have to use addslashes() before inserting data into the database, but you don't have to use stripslashes() when reading from the database.

      The safest choice in my opinion is to completely disable magic_quotes and just use addslashes() when inserting, because that is the only time you actually need to have the slashes in there, just to make the query work.

        Write a Reply...