addslashes anomoly in Update statement

sem_db

I'm having troubles figuring out the following....

$SQLUpdate = "UPDATE Admin SET" ." Admin.password = '".$password
."' WHERE Admin.pk_admin_id = ".$admin_id;

echo $SQLUpdate;

when I echo this string $SQLupdate i get the following

UPDATE Admin SET Admin.password = 'biol200g\'!' WHERE Admin.pk_admin_id = 5

BUUUUUUT when I perform this update, the odd character (') in
biol200g\'! appears without the backslash in the database!

In the database it simply looks like this: biol200g'! which is horribly incorrect because it should be biol200g\'!

please help>> J.

viveleroi0

check the manual for addslashes() and removeslashes(), I had the same problem but its as simple as parsing the variable through one of those

sem_db

Yes I checked for:

if (!get_magic_quotes_gpc()) {
$item = addslashes($item);
}

and as you can see the slash in front of the (') character IS THERE, but it somehow gets stripped out when the update statement completes. I have to add TWO slashes for the UPDATE statement to insert the correct value escaped by a backslash (ie. ').

Thanks for your original reply!

[deleted]

"BUUUUUUT when I perform this update, the odd character (') in
biol200g\'! appears without the backslash in the database!"

Ofcourse, because that is what you told the database to store.

You have to add the slash to prevent SQL from seeing the quote as part of the query, it does not get, and should not be, stored in the database at all.

sem_db

ooooh i see! so in the database it SHOULD look like this:

Biol200g'!

and NOT like this:

Biol200g\'!

Thanks For your help!!

You don't have to answer this,, but
...Then why would you need the stripslashes function?

sem_db

haahah i know why you would have strip slashes.. when you do this:

SELECT Admin.id where Admin.password LIKE stripslashes(password);

COOL!

[deleted]

"Then why would you need the stripslashes function?"

You wouldn't 🙂

But, if you enable magic-quotes-runtime, then all data from the
'outside world' is run through addslashes() automatically, including the data retreived from the database, in which case there will be an extra slash before the quote, and then you have to use stripslashes() to remove it.

sem_db

no that's not correct..
you wouldn't want to stripslashes in the select statement either!
oh the confusion..

gid

If you want to echo the data back to the user as confirmation or looks up a file that's named after that data, then you definitely do not want the slashes. Pretty much the only thing I use addslashes for is for database queries, if you not using a database, then magic_quotes can be darn annoying. I personally like it off, I've been coding php for 3.5 years now so I'm using to doing addslashes() on all my db data. 🙂

[deleted]

Indeed, I much prefer magic-quotes switched off too (all of them) and just use addslashes() when required, because you hardly ever require them in the first place.