mysql_real_escape_string and single quote

Question

I'm quite frustrated. I want to be able to insert into my database names with single quotes - for example, O'Connor.

So, when inserting into the DB, I do:

 $lname = mysql_real_escape_string($_POST['lname']);

And then I insert $lname into the DB.

When it's in the DB, it appears as O\'Connor.

So, if I were to recall that last name in my web application, I will have to use:

 $lname = stripslashes($r["lname"]);

This all seems to work fine. However, I have a search function which will search for last names and display the results. When I search, I have to search for O\'Connor in order to get any results.

You see, after I search, the textbox automatically stores the value of what was just searched for (using sessions). So my code is this:

 $search = mysql_real_escape_string($_GET['search']);
 $_SESSION['search'] = $search;

Like I said before, when I search, I have to use "O\'Connor", and then after I search, the value in the textbox becomes "O\\\\'Connor"

It's been frustrating trying to figure this out. Does anyone know what I'm doing wrong? Thanks!

EDIT:

Here is my php5.ini file, regarding magic quotes:

 ; Magic quotes
 ;

 ; Magic quotes for incoming GET/POST/Cookie data.
 magic_quotes_gpc = On

 ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
 magic_quotes_runtime = Off

 ; Use Sybase-style magic quotes (escape ' with '' instead of \').
 magic_quotes_sybase = Off

However, my site is hosted on GoDaddy, and I do not have permissions to edit the file :(

Answer 1

It sounds like Magic Quotes are enabled in your PHP configuration.

To check if it's actually enabled:

echo get_magic_quotes_gpc();

To disable, edit your php.ini file:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Or add this line to your .htaccess:

php_flag magic_quotes_gpc Off

Answer 2

Magic quotes are enabled. What this means is that anything placed in post or get or other similar locations is automatically escaped so that beginning programmers don't have to worry about it as much. It is deprecated in the current version of PHP, if I remember correctly.

What you want to do to deal with this, and have the script run the same from any configuration is the following:

function fixinput($value){
    if (get_magic_quotes_gpc()){
      $value = stripslashes($value);
    }

    return mysql_real_escape_string($value);
}

You may want to further modify this to wrap non-numeric data in quotes, which is a common variation, but I find it is better to place those quotes manually.

Answer 3

Little edit to the fixinput function to check if your installation of PHP does indeed have real escape string (older versions don't):

  function fixinput($value){
    if (get_magic_quotes_gpc()){
      $value = stripslashes($value);
    }

    if (function_exists('mysql_real_escape_string')) {
      return mysql_real_escape_string($value);
    }
    else {
      return mysql_escape_string($value);
    }
  }

Answer 4

When it's in the DB, it appears as O\'Connor.

So, if I were to recall that last name in my web application, I will have to use:

 $lname = stripslashes($r["lname"]);

Wrong! When you escape strings with mysql_real_escape_string, they are only escaped in the query. The database interprets the query, so the data ends up in the database without any escape-characters. You do not have to use stripslashes when pulling data out of the database. If you think you do, then it means that the data in your database is mangled. Most likely because you have magic quotes turned on.

You should:

• Turn off magic quotes or reverse their effect globally. See the manual for details.
• Either use bound parameters (The best solution) or escape all variables with mysql_real_escape_string. You should do this where you are building the query.
• Not do anything on the stuff you pull out from the database.

In particular, do not make a function a la the fixinput and variants that is listed in some of the answers here. It is the wrong way to solve the problem, because it will mess up any data that doesn't come from a http-request.

Answer 5

I dont check for get_magic_quotes_gpc is on/off.

I just do $lname = mysql_real_escape_string(stripslashes($_POST['lname'])); so if there is not any quoted text it wont strip slashes.. if there is quoted it will strip them off.

and it works wonders for me!

Answer 6

All you need to do is take the search query, mysql_real_escape_string it, and it should be perfectly fine. The best way to do this though is to never store it escaped, and instead just escape it everything is goes into the database.

Instead, do this:

 $_SESSION['search'] = $_GET['search'];
 $search = mysql_real_escape_string($_GET['search']);