How to save this string correctly?

Question

This is my code:

URL:

http://www.mysite.com/t.php?title=The%20Police%20-%20Don't%20Stand%20So%20Close%20to%20Me%20'86%20-

PHP:

<?php if(!empty($_GET['title'])){ >
<form method="post" action="t.php?done=yes" enctype="multipart/form-data">
<input type="text" name="title" 
<?php echo "value=\"".htmlspecialchars($_GET['title'])."\""; ?> 
> 
<input name="submit" value="Submit" type="submit" />
</form>
<?php } >


<?php if(!empty($_POST['title'])){ 
echo mysql_real_escape_string($_POST['title']);
// I have to put the string in a database ( I haven't added that part )
 } >

If I follow the first URL and then submit the form, I get this string:

The Police - Don\\\'t Stand So Close to Me \\\'86 -

instead of:

The Police - Don't Stand So Close to Me '86 -

Why ? How can I get the last string ?

Thanks

.

EDIT:

I have just discovered that magic_quotes_gpc is ON because get_magic_quotes_gpc() return TRUE.

You use `mysql_real_escape_string` to escape a string to put into mysql database not to `echo`, use htmlspecialchars — Musa, May 22 '12 at 17:41
You are echoing out the escaped version. Just echo out the original string `$_POST['title']` to examine it, and use `htmlspecialchars()` to output it inside HTML — Michael Berkowski, May 22 '12 at 17:41
I have to put the string in a database ( I haven't added that part ). — xRobot, May 22 '12 at 17:42
when you add it to database, use mysql_real_escape_string, when echoing don't use it, easy, isn't it? And it also seems as you're applying mysql_real_escape_string twice somewhere in your code — Konstantin Pereiaslov, May 22 '12 at 17:47
but echoing it with mysql_real_escape_string will add the backslashes, wouldn't it? why don't you just convert them %20 to spaces and use the mysql_real_escape_string when saving it to the database. since %20 isn't really a html char — magicianiam, May 22 '12 at 17:47
*"I just discovered that magic_quotes_gpc is ON.. What do I have to do now?"* - Turn them off or get a new host. http://stackoverflow.com/questions/517008/how-to-turn-off-magic-quotes-on-shared-hosting — Mike B, May 22 '12 at 18:10

bitoshi.n · Accepted Answer · 2012-05-22T18:23:12.507

It may because this string

The Police - Don't Stand So Close to Me '86 -

By magic_quotes_gpc on on your php.ini give you qoute escape

The Police - Don\'t Stand So Close to Me \'86 -

And then

echo mysql_real_escape_string($_POST['title']);

escape the ' and \ become

The Police - Don\\\'t Stand So Close to Me \\\'86 -

Try on your code to set

ini_set ( 'magic_quotes_gpc', '0' );

If not, you can check it by coding and remove slashes

if (get_magic_quotes_gpc()) {
    $title = stripslashes($_POST['title']);
}
else {
    $title = $_POST['title'];
}

score 0 · Answer 2 · answered May 22 '12 at 17:41

0

Could you provide more informations about this block please?

<?php if(!empty($_POST['title'])){ 
echo mysql_real_escape_string($_POST['title']);
 } >

Is this only for debug purposes? If so, there's no use to echo with mysql_escape_string, which obviously "corrupts" the visible value of your variable. Please post the echo without this function.

rgds

answered May 22 '12 at 17:41

Sebas

21,192
9
55
109

yes, it is for debug purposes. I need to insert that string in a mysql db. – xRobot May 22 '12 at 17:43
please post the not escaped string :-) – Sebas May 22 '12 at 17:47
The not escaped string is in the code above. Is this: The Police - Don't Stand So Close to Me '86 - – xRobot May 22 '12 at 17:50

How to save this string correctly?

2 Answers2