A better way to clean data before writing to database
https://stackoverflow.com/questions/4776720
-
23-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using PHP and MySQL to power a basic forum. When users use the apostrophe (') or insert links into their post, the mysql_real_escape_string function is adding \ to the text. When displaying the post, the links don't work, and all the apostrophe's have a \ before it.
Is the problem that I am not doing something before outputting the text or is the issue that I'm not cleaning the data properly before writing to MySQL?
Solution
Are magicquotes turned on? You can check quickly by creating a PHP page like so:
<?php var_dump(get_magic_quotes_gpc()) ?>
If the page says something like int(1), then the culprit isn't mysql_real_escape_string, but PHP itself. It was a security feature, but not very secure, and mostly just annoying. Before you sanitize each variable, you first need to undo the slashing with stripslashes.
OTHER TIPS
You can also turn off magic quotes by using this:
if ( version_compare(PHP_VERSION, '5.3.0', '<') ) {
set_magic_quotes_runtime(0);
}
It will turn magic quotes off when your server is running any version of php less than 5.3.0.
