The slashes from the escape function do not end up in the database, just as the slashes used to escape quotes within a PHP quoted string do not get output in an echo statement. If you have backslashes inserted into your actual data, then most likely your system has magic_quotes_gpc turned on, and therefore your escape function is escaping the backslashes inserted by magic quotes.

The best solution would be to turn off magic_quotes_gpc if possible, otherwise use stripslashes() on the input data before applying mysqli_real_escape_string() to it. You can use the [man]get_magic_quotes_gpc/man function to test if it is turned on, e.g.:

if(get_magic_quotes_gpc())
{
   foreach ($_POST as $key => $val)
   {
      $_POST[$key] = stripslashes($val);
   }
}

sounds to me like you are not running your mysql_real_escape_string and stripslashes at the right time. I'm not really sure what the data flow is in your site though so it's difficult to figure it out.

If you organize your code properly, it should never be necessary to reverse mysql_escape_string. I'm not sure why you are using stripslashes but my guess is that you are trying to reverse magic_quotes. You should be more careful about that too.

Generally speaking, you should only use stripslashes to get rid of magic quotes if [man]get_magic_quotes_gpc[/man] returns true.

Also, you should only run [man]mysql_real_escape_string[/man] ONCE on your data RIGHT BEFORE you insert it into your database and ONLY AFTER you have already stripslashed the text and ONLY IF the field is a text field.

I must have not explained myself very well.
The stripslashes is being used to escape the magic_quotes.

if (isset($_POST['submitted'])) {

$errors = array();

if (empty($_POST['content'])) {
$errors[] = 'You have to write something...';
} else {
$t2 =mysqli_real_escape_string($dbc,$_POST['content']); 
$t = stripslashes($t2);
}	


if (empty($errors)) { // If everything's OK.

	// Make the query:
	$q = "UPDATE content SET text=?  WHERE content_id=$id LIMIT 1";
	$stmt = mysqli_prepare($dbc, $q);
	mysqli_stmt_bind_param($stmt, 's', $t);
	mysqli_stmt_execute($stmt);	

the end result though will have r's and n's throughout the code from the mysqli_real_escape_string
I have tried it where it goes through the stripslashes first and then the mysqli_real_escape_string but it won't run the query for some reason..

Use stripslashes() before using mysqli_real_escape_string(), and only if get_magic_quotes_gpc() returns true. Actually, you do not need to use mysqli_real_escape_string() since you are using a prepared statement.

laserlight;10881017 wrote:

Use stripslashes() before using mysqli_real_escape_string(), and only if get_magic_quotes_gpc() returns true. Actually, you do not need to use mysqli_real_escape_string() since you are using a prepared statement.

when I put the stripslashes before it won't run the query to insert it into the database for some reason.

I thought you were always supposed to use mysqli_real_escape_string() when inputing data into the database?

The bind_param function does its own escaping as applicable, so if you escape_string the value first, you are, in effect, escaping it twice.

Oh wow! haha thank you!

If this thread is resolved, please use the thread tools to mark it so.