$_SESSION driving me crazy

anakadote

my problem is that everytime I call a script that requires $SESSION['name'] the value changes when there is a single quote. How am i changing the value of $SESSION?? i don't want to.

starting the session:

<?php //script 1
$query = "SELECT id, name FROM carfireUsers WHERE login='$l' AND password='$p'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);

session_start();
$_SESSION['name'] = $row[1];

//$_SESSION['name'] = O'Hern

<?php //script 2

session_start();

$name = $_SESSION['name'];

//
// then i make some queries using $name
//

$name = mysql_escape_string($name);
$message = $name . ' > <font color="#666666">' . $message . '</font><br><br>';

$sql = "INSERT INTO CFmessages (message, userOne, userTwo) VALUES ('$message', '$name', '$link')";
$result = mysql_query($sql) or die("1" . mysql_error());

now after this the value of $_SESSION['name'] becomes O\'Hern

How is this??

devinemke

because of this line:

$name = mysql_escape_string($name);

that is precisely what [man]mysql_escape_string[/man] does, it escapes all of the quotes to prevent SQL injection. you can always remove them using [man]stripslashes[/man] or better yet just run a copy of the var thru [man]mysql_escape_string[/man] to be used in the query thus leaving the orginal untouched.

toplay

FYI - devinemke is correct of course. I just want to add that you check magic quotes first - see this post:

http://www.phpbuilder.com/board/showpost.php?p=10648400&postcount=9

halojoy

Hello

this is a common problem
when people does not handle php settings and coding in best way

I have
magic_quotes OFF
and as I do not use MySQL,
I have little problems with storing data strings in files and reading back.

I use FLAT File Saving: fwrite( $fp, "wb" )
Otherwise you have to doing some handling with stripslashes and/or addslashes
to satisfy MySQL and when doing display of text

###################

I have answered to this issue already
two times in my short membership at this forum.
I have done research in this matter in another forum, before this.

You will find some good links in these topics,
explaining about magic, quote and slash
and how is good (best) way to do this with PHP.

-----> quotes & other characters causing problems in form
http://www.phpbuilder.com/board/showthread.php?t=10303476

-----> problem with addslashes /stripslashes
http://www.phpbuilder.com/board/showthread.php?t=10302625

halojoy - has got no problems with this issue
... after educating him self in this matter