johnrb87 Posted September 6, 2010 Share Posted September 6, 2010 Hi everyone I am trying to secure some of my code using a sanitize function function sanitize($data) { $cdata = strip_tags(addslashes($data)); $cdata = mysql_real_escape_string($cdata); return $cdata; } If I post a form value such as 'Apple iPod' to a SQL INSERT QUERY using `title` = sanitize($_POST['title']); then my database value looks like \\\'the ipod\\\' this is odd because there is 3 slashes if I then print that value on a PHP page using print stripslashes($row['title']); it outputs \'the ipod\' Why can I not get rid of the slashes and why would it be outputting 3 slashes? I have tried all the magic quote ideas and suggestions, but still cannot sort this out. Thanks John Quote Link to comment Share on other sites More sharing options...
Hypnos Posted September 7, 2010 Share Posted September 7, 2010 Because you have 3 things adding slashes. 1. magic_quotes_gpc - It must be on. Run phpinfo() to test. Shut it off in php.ini or .htaccess. 2. addslashes() - You don't need this. That's what mysql_real_escape_string() is for. 3. mysql_real_escape_string() Take out the addslashes() and shutoff magic_quotes_gpc. Or just shutoff magic_quotes_gpc and use prepared statements with PDO or mysqli. Then you don't need to escape data for SQL. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.