mysql real escape sting HELP + Text area line break help???

[mat3000000]

I am having problems with these slashes. They keep showing up when I echo data....

The code is to update a field in a mysql database table.

 

Here is my code:

$query = mysql_query("SELECT * FROM `bus` WHERE username='$username'");
$row = mysql_fetch_array($query);
$bio = $row['about'];
$bio = str_replace("<br />","\r\n",$bio);



if(isset($_POST['submit'])){
if(empty($errors)){	
if($password == $pass){

$about1 = mysql_real_escape_string($_POST["about"]);
$about1 = str_replace("\r\n","<br />",$about1);

mysql_query("UPDATE bus SET about='$about1' WHERE username='$username'");

}else{$errors[] = 'Incorrect Password';}
}
}

 

When I run this and put:

About: 

I'm very tired today

It's been very hard

 

I get the about1 string as: I\\\'m very tired today\r\nIt\\\'s been very hard

 

Why???

 

 

[Pikachu2000]

Most likely, you have magic_quotes_gpc = On in your php.ini file, and it keeps stacking more and more backslashes on the values. It really should be Off.

[mat3000000]

I do not host on my own server, is here a function I can use that will simulate it being off?

[Psycho]

This page in the manual explains some options for disabling magic quotes either in the ini file or by pre-processing the user input: http://php.net/manual/en/security.magicquotes.disabling.php

 

In addition to what Pikachu has stated, I think you are also making this more difficult than it should be. Don't use str_replace to convert line breaks back and forth. PHP has built in functions to do this for you that will be better. I believe Linux and Windows servers format line breaks differently, so your code above would not work if you moved to a server with a different OS.

 

When storing user-input you have to think ahead as to how you will use that data and be careful about any transitions you make that cannot be undone. Personally, I rarely do any modifications to user input when storing in the database - except for escaping/validating the input to prevent sql injection or query errors. So, for text I will use mysql_real_escape_string() and for numbers I will use int() or other numeric validations as needed, validate dates, etc.

 

So, for a textarea I would save the original input exactly as the user input. With HTML tags, with "normal" line breaks (i.e. "\r\n" not "<br>"). But, then when I need to output that data I would use the appropriate PHP functions to format the text appropriately. If I was displaying the content within the body of an HTML page I would use htmlentities() and nl2br(). But, if I was repopulating a textarea for the text to be modified I would only use htmlentities(). Then again, if you are using the data for some other output entirely (say a text file) I would apply no conversions.

[Pikachu2000]

You also should contact your hosting provider and ask them if you can turn it off locally.

[mat3000000]

Thanks for your help.

 

Just for the record I am using this to turn off magic quotes:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

 

and I am using htmlentities() and nl2br() which seemed to work.

 

Thank You!!!!