mysql_real_escape_string() help

wpt394

Greetings all,

I had recently posted a thread about using mysql_real_escape_string(), and someone told me to disable magic quotes gpc. So, I went ahead and did that, but my problems haven't really gone away.

I'm letting users submit comments on my site, which are then inserted to my sql database. I'm trying to prevent against SQL injection attacks, and am looking for the best way to do it. I have been wrapping the comments in a mysql_real_escape_string() call, but the data inserted into the database contain all the prepended back slashes.

Do I just have to use some sort of "remove slashes" function when I query the data back out of the database, or is there a better solution?

laserlight

I had recently posted a thread about using mysql_real_escape_string(), and someone told me to disable magic quotes gpc. So, I went ahead and did that, but my problems haven't really gone away.

Did you remember to restart the web server? Are you sure the setting really is changed, e.g., did you check with phpinfo()?

I have been wrapping the comments in a mysql_real_escape_string() call, but the data inserted into the database contain all the prepended back slashes.

You might want to show the smallest and simplest PHP code, SQL code, and data that demonstrates the problem.

Do I just have to use some sort of "remove slashes" function when I query the data back out of the database, or is there a better solution?

No, you do not have to use stripslashes() if magic_quotes_gpc is off.

wpt394

I have done a phpinfo and yes, magic_quotes_gpc is now off.

Here is a sample of what I'm trying to do...


$comment = mysql_real_escape_string($_POST['comment']);
$name = mysql_real_escape_string($_POST['name']);

$query = "INSERT INTO commenttable VALUES ('$comment','$name)";
$result = mysql_query($query) or die(mysql_error());

Suppose $_POST['comment'] is:

This didn't work

What happens is that in the database, it looks like:

This didn\'t work

So when I do something like:

$result = mysql_query("SELECT * FROM commenttable") or die(mysql_error());

while($row = mysql_fetch_array( $result )) {

echo $row['comment'];

}

the comment appears with the prepended backslash, forcing me to use strip slashes to make it look right.

What am I missing here? Thanks...

laserlight

hmm... that is bizarre since the code is behaving as if magic_quotes_gpc is on.

On a hunch concerning external interference: when you say "What happens is that in the database, it looks like: This didn\'t work", did you check using some database tool, or is this just your conclusion based on the actual output?

That is, is it possible that some external script could have modified the data to and/or from the database server?