I'm quite frustrated. I want to be able to insert into my database names with single quotes - for example, O'Connor.
So, when inserting into the DB, I do:
$lname = mysql_real_escape_string($_POST['lname']);
And then I insert $lname into the DB.
When it's in the DB, it appears as O\'Connor.
So, if I were to recall that last name in my web application, I will have to use:
$lname = stripslashes($r["lname"]);
This all seems to work fine. However, I have a search function which will search for last names and display the results. When I search, I have to search for O\'Connor in order to get any results.
You see, after I search, the textbox automatically stores the value of what was just searched for (using sessions). So my code is this:
$search = mysql_real_escape_string($_GET['search']);
$_SESSION['search'] = $search;
Like I said before, when I search, I have to use "O\'Connor", and then after I search, the value in the textbox becomes "O\\\\'Connor"
It's been frustrating trying to figure this out. Does anyone know what I'm doing wrong? Thanks!
EDIT:
Here is my php5.ini file, regarding magic quotes:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
However, my site is hosted on GoDaddy, and I do not have permissions to edit the file :(
Little edit to the fixinput function to check if your installation of PHP does indeed have real escape string (older versions don't):
Wrong! When you escape strings with
mysql_real_escape_string
, they are only escaped in the query. The database interprets the query, so the data ends up in the database without any escape-characters. You do not have to usestripslashes
when pulling data out of the database. If you think you do, then it means that the data in your database is mangled. Most likely because you have magic quotes turned on.You should:
mysql_real_escape_string
. You should do this where you are building the query.In particular, do not make a function a la the
fixinput
and variants that is listed in some of the answers here. It is the wrong way to solve the problem, because it will mess up any data that doesn't come from a http-request.It sounds like Magic Quotes are enabled in your PHP configuration.
To check if it's actually enabled:
To disable, edit your php.ini file:
Or add this line to your .htaccess:
Magic quotes are enabled. What this means is that anything placed in post or get or other similar locations is automatically escaped so that beginning programmers don't have to worry about it as much. It is deprecated in the current version of PHP, if I remember correctly.
What you want to do to deal with this, and have the script run the same from any configuration is the following:
You may want to further modify this to wrap non-numeric data in quotes, which is a common variation, but I find it is better to place those quotes manually.
All you need to do is take the search query, mysql_real_escape_string it, and it should be perfectly fine. The best way to do this though is to never store it escaped, and instead just escape it everything is goes into the database.
Instead, do this:
I dont check for
get_magic_quotes_gpc
is on/off.I just do
$lname = mysql_real_escape_string(stripslashes($_POST['lname']));
so if there is not any quoted text it wont strip slashes.. if there is quoted it will strip them off.and it works wonders for me!