dsjoes Posted January 29, 2011 Share Posted January 29, 2011 when i upload a link using the form below it adds \ into it like this <a href=\"http://www.google.co.uk\" target=\"_blank\">test</a> and the link is unusable with them any way to stop this <?php include("dbinfo.inc.php"); mysql_connect($localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query="SELECT * FROM News WHERE id='$id'"; $result=mysql_query($query); $num=mysql_numrows($result); mysql_close(); $i=0; while ($i < $num) { $News=mysql_result($result,$i,"News"); ?> <form action="updated.php"> <input type="hidden" name="ud_id" value="<? echo "$id"; ?>"> News:<br> <TEXTAREA NAME="ud_News" COLS=40 ROWS=6><? echo "$News"?></TEXTAREA><br> <input type="Submit" value="Update"> </form> <?php ++$i; } ?> Quote Link to comment Share on other sites More sharing options...
litebearer Posted January 30, 2011 Share Posted January 30, 2011 I suspect it is due to how you 'formatted' the information when you initially inserted it into the database. We would need to see that coding also. (note: why are you using mysql_close BEFORE you finish accessing the data?) Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 30, 2011 Share Posted January 30, 2011 Post the output of anything that starts with 'magic_quotes' from phpinfo. Quote Link to comment Share on other sites More sharing options...
dsjoes Posted January 30, 2011 Author Share Posted January 30, 2011 Post the output of anything that starts with 'magic_quotes' from phpinfo. magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 30, 2011 Share Posted January 30, 2011 OK, when you insert the values into the database, are you using any logic strip out the slashes added by magic_quotes_gpc before using mysql_real_escape_string? If you don't, the data ends up doubly escaped resulting in a set of the slashes making its way into the database. Should look something like this for sanitizing and inserting the data: if( get_magic_quotes_gpc() ) { $value = mysql_real_escape_string(stripslashes($_POST['value'])); } else { $value = mysql_real_escape_string($_POST['value']); } Quote Link to comment Share on other sites More sharing options...
dsjoes Posted January 30, 2011 Author Share Posted January 30, 2011 OK, when you insert the values into the database, are you using any logic strip out the slashes added by magic_quotes_gpc before using mysql_real_escape_string? If you don't, the data ends up doubly escaped resulting in a set of the slashes making its way into the database. Should look something like this for sanitizing and inserting the data: if( get_magic_quotes_gpc() ) { $value = mysql_real_escape_string(stripslashes($_POST['value'])); } else { $value = mysql_real_escape_string($_POST['value']); } thanks that has worked Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.