The data variable is then passed through a mysql query and then i echo out a message like this.
echo "The data you entered, ".$data.", was successfully added to the database.";
The problem is this... When the data is echoed out, if the data contained a ' character then there is 3 backslahes before it.
For example is a user entered: Eddie's code
The message would say: The data you entered, Eddie\\\'s code, was successfully added to the database.
I think that the ' character is being protected by a backslash and then both those characters are being protected so therefore it results in 3 backlashes and a ' character.
When i remove the SQL protection (mysql_real_escape_string(strip_tags($_POST['data'])) then the data is passed through the query correctly without trouble...
After all of that what i really want to know is, do mysql queries now protect themselves form SQL injection?
I don't know which verison PHP the server i have my script hosted on it, but i would just like to know why this is and whether it is safe to remove all the SQL protection as the mysql quries execute the code with no trouble even when a ' character is used.
Sorry for the essay haha,
Thanks everyone for you time in helping me
When a user submits a textfield with a ' characters in it, is that characters escaped using a backslash?
Last edited by eddie; 22nd August 2009 at 01:26 PM.
Reason: Extra info
That explains it I've been having to add stripslashes($_POST['data']) to everything that have been submited by the POST method in a form! Just to get a variable to equal what was actually submitted by the form haha.
They have removed the option to change the magic quotes on/off in the newer PHP versions which is good, but on the other hand, when the company we host with upgrade their version of PHP we will need to change our scripts
I have read the manual for disabling it and i don't quite understand how to do this. They have just wrote some text. Do you know how to do it?
If you put that in a file that gets included in every PHP page (such as a config file, or library) then it'll sort out the form values. When you move to a server without magicquotes, the above code will leave the $_ variables alone, but for now it will run the stripslashes function on each element of the four input arrays.
You'll still need to use the escape functions before storing data in the database though (if it's mySQL, then use mysql_real_escape_string() rather than just 'addslashes' - which of course you are doing already ).
Last edited by SteveMC; 22nd August 2009 at 02:27 PM.