Addslashes or ...

zzz

I have a text form field. I have noticed that if a user puts in a single quote in the input text I get a MySQL error. So I put addslashes.

$data = addslashes($_POST['my_data']);

The error went away but when I look in the db I see that the data was input without any slashes. Also when I echo that data from my db back it prints ok, but if I echo it back into the form field It cuts it at the quote.

Need a bit of guidance here.

:rolleyes:

Plasma

You need to remove the quote if your putting it back in the form field - stripslashes()

zzz

I tried that, but it doesn't do anything different. If I have an input O'Connor and input it into my db as addslashed($_POST['myfield']) I still see only O'Connor in my db and not O\'Connor... I need to check my code -- this doesn't make any sense.

zzz

Freaky, I just ran an experiement. See below.

laserlight

If you can, use prepared statements with mysqli or the PDO extension.

If not, use [man]mysql_real_escape_string/man,keeping magic_quotes_gpc set to Off.

If I have an input O'Connor and input it into my db as addslashed($_POST['myfield']) I still see only O'Connor in my db and not O\'Connor... I need to check my code -- this doesn't make any sense.

Why would "O\'Connor" be stored instead of "O'Connor"? After all, hasnt the single quote been escaped?

Note also that doubling the single quote is the standard way to escape it in SQL, but here MySQL differs from standard SQL (though allows for that option).

zzz

I took my form submission and after I added slashed I also added it to the session to see what is it that I input. After I echoed it back I see that my session data comes as O\'Connor but my db data only O

zzz

I just checekd and get_magic_quotes_gpc() is set to OFF.