[RESOLVED] Apostrophe problem while using mysql_real_escape_string

MystedVeil

I currently have a news form that submits to 4 different areas of the site (dev, site, sl and announcements).

In my process form it goes to the database as :

if(isset($_POST['submitNews1'])){
$Title = mysql_real_escape_string($_POST['Title']); 
$Message = mysql_real_escape_string($_POST['Message']); 
$Category = mysql_real_escape_string($_POST['Category']); 
$User = mysql_real_escape_string($_POST['User']); 

$query = "INSERT INTO News (Date, Title, Message, Category,  User) values(now(), '$Title' ,'$Message',  '$Category', '$User')";  

        $result = @mysql_query ($query); // Run the query.

        if ($result) { // If it ran OK.
echo "$message_News1";
			}
        mysql_close(); 
}

I display it as:

<?php
$result = mysql_query("SELECT *, DATE_FORMAT(Date, '%M %D, %Y @ %r') AS Date FROM News WHERE Category='Development' ORDER BY ID DESC Limit 0,5");
echo mysql_error();  

if (mysql_num_rows($result)) 
while($row = mysql_fetch_array($result)) {
$Message= nl2br($row["Message"]);
?>

			<table width="100%" border="0" cellspacing="5" cellpadding="5" class="news">
			<tr><td align="center" class="newsH1">-- <?PHP echo $row['Title']; ?> --</td></tr>
			<tr><td align="center" class="citation">Posted by: <?PHP echo $row['User']; ?> on <?PHP echo $row['Date']; ?></td></tr>
			<tr><td valign="center">&nbsp;</td></tr>
			<tr><td align="left">
	<?PHP echo $row['Message']; ?>
			</td></tr>
			</table>
<br/>

<?php
	}
?>

All articles are going into the database as "I\m working on this!".
All articles when being displayed return as "I\m working on this!" instead of "I'm working on this". I can't figure out the problem as it just started doing this today. Up until then it worked fine.

bradgrafelman

Do a phpinfo() and check the value of magic_quotes_gpc - is it enabled? If so, do you have access to modify (or create your own) php.ini file or use a .htaccess file to disable this directive?

MystedVeil

How exactly do I check the phpinfo()

MystedVeil

Got it, they are disabled and I can modify my php.ini through the Control Panels QuickConfig

MystedVeil

I feel like a dweeb.

I replaced

<?PHP echo $row['Message']; ?>

with

<?php echo stripslashes($Message); ?>

bradgrafelman

MystedVeil;10962787 wrote:
I feel like a dweeb.

I replaced
<?PHP echo $row['Message']; ?>
with
<?php echo stripslashes($Message); ?>

But that is just a workaround; the data in the DB itself should not contain a backslash - that suggests that you have other problems (e.g. double escaping).

MystedVeil

True enough. Right now I wanted it to at least view right on the site itself while I work on fixing how it is going into the database.

MystedVeil

I removed the work around. Now I haven't messed with the form process itself at all to this point but something odd has happened. When inserting an update dev article letting them know the problem was being worked on it submitted properly. It is like it resolved itself or my server had a hiccup.