On my server magic_quotes_gpc are on.

Php manuals say that I don't need to use addslashes(); if magic_quotes_gpc are on:

The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping.

However, if I don't use addslashes(); all teksts in my DB looks like this:

"text", 'text'

and not like this:

\"text\", \'text\'

Is this normal?

    Hmm, I just discovered that function addslashes(); for some reason doesn't work.

      Can somebody explain how is it possible that addslashes works, but text is submitted to the database as it is?

      $descr = "This is 'my' test";
$descr = addslashes($descr);

echo $descr; // This \'is\' my test

$apd = mysql_query("UPDATE profiles SET ptext='$descr' WHERE id='$id'");

echo $descr; // This \'is\' my test

      Everything correct so far. Now I check my database and see that it contains:

      This is 'my' test

      instead of

      This \'is\' my test

      Does it mean that MySQL in some way strips slashes itself?

        you should not replace the mysql_real_escape_string with addslashes to avoid SQL injection.
        if this server config is ON, you need to see slashes before the qoutes. If not, you can test with a simple form and $_POST. If you use addslashes on an escaped value, you then need to see double escaped characters.

        if magic qoutes is on, use

        mysql_real_escape_string(stripslashes($input));

        on your user inputs.

        When you build a query string to the database, \' and \" converted into ' and " when this value inserted into the table, so you will see normal ' and " signs when you query down the data.

          djjjozsi, thank you very much for your reply.

          I replaced addslashes with mysql_real_escape_string as you suggested.

          I tried mysql_real_escape_string before, but happened the same as with addslashes - when I checked the table using PHPMyAdmin, I saw normal 'and " signe instead of \' and \". I didn't know that it's normal.

            guanche wrote:

            when I checked the table using PHPMyAdmin, I saw normal 'and " signe instead of \' and \". I didn't know that it's normal

            Why wouldn't that be normal? If I entered my name as Bill O'Reilly in a form, would you rather it greet me as Bill O\'Reilly?

            Also, as for magic_quotes_gpc, here's a quick rundown of some things you should know:

            • Never use it, and never rely on it. It's a setting that can be changed from one server to the next (or even on the same server after an upgrade).

            • It's not useful. Automatically (or "magically") having all incoming data be escaped is far from useful - it's destructive. You destroy data integrity in that you can't easily access the actual data without using some sort of transforming function (e.g. stripslashes()).

            • It doesn't do what you think it does. It is NOT to be used for preparing incoming data for use in SQL queries - that's what the SQL-specific escape functions (e.g. [man]mysql_real_escape_string/man) are for. Note that [man]addslashes/man and the aforementioned SQL escape function are not identical - they don't perform the same operations!

            • It's been deprecated for some time now. In fact, as of PHP5 it was disabled by default (perhaps even before - can't remember), and as of PHP6 it's not even an option at all.

            Also, don't forget to mark this thread resolved (if it is) using the link under Thread Tools.

              Write a Reply...