-1

Possible Duplicate:
Why are escape characters being added to the value of the hidden input

I am querying user posts from a table in my database. When I output them and if they contain an apostrophe, a backslash is inserted before the apostrophe.

Why is it doing this? What can I do to fix this problem?

Example:

I'm hiking in Colorado's Mountains.

I\'m hiking in Colorado\'s Mountains.
Community
  • 1
  • 1
user1592953
  • 135
  • 2
  • 9
  • ...search for `string escaping`. – Lorenz Lo Sauer Sep 23 '12 at 18:59
  • hakra informing everyone that is is a possible duplicate seems pretty unproductive... – user1592953 Sep 23 '12 at 19:07
  • @user1592953: That is automatically inserted when a question is flagged as duplicate. Before posting a question, please search for duplicates. The comment helps others to review the close decision and also vote for closing if they think the same. – hakre Sep 23 '12 at 19:12
  • @user1592953 - if the other question is a duplicate, then what's unproductive about pointing to it? In any case, I would need to see some actual code before I even attempt to diagnose the problem. There are a number of possible causes but we need to see code in order to diagnose accurately and give helpful suggestions about how to improve it. – Spudley Sep 23 '12 at 19:37

5 Answers5

1

Two possible reasons:

Reason One:

You have magic quotes enabled on your server. To test for magic quotes, simply use this piece of code:

if(get_magic_quotes_gpc()){
    echo 'Magic quotes are enabled...';
}

If magic quotes are enabled, you'll need to disable them (and complain to your web host about it). The PHP manual has a page dedicated to disabling magic quotes.

Reason Two:

You (or one of your input functions) is using addslashes() as protection against SQL injection. This is not secure. Prepared statements (with PDO or mysqli) are the only acceptable means of protection against SQL injection.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
  • 1
    `magic_quotes_gpc` (that one you focus on) is not related to data returned from databases (that is the type of data the question is about), only to data that comes from the browser. See http://stackoverflow.com/a/12555360/367456 , it's likely `magic_quotes_runtime`. – hakre Sep 23 '12 at 19:08
  • @hakra But if quotes are being escaped before they're inserted, then surely magic_quotes_gpc could also be the issue? – Wayne Whitty Sep 23 '12 at 19:11
  • Sure, that's why I suggested this question here to be closed as a duplicate of: [Why are escape characters being added to the value of the hidden input](http://stackoverflow.com/questions/1038980/why-are-escape-characters-being-added-to-the-value-of-the-hidden-input) - I mean, who needs to type if the answer is already there? :) – hakre Sep 23 '12 at 19:12
0

It is most likely escaping the characters (due to mysql_real_escape_string) or something along those lines. You can use stripslashes() function to remove slashes, although I recommend using htmlentities() or htmlspecialchars() on the data to add some security.

David
  • 2,053
  • 2
  • 16
  • 26
0

You can use http://php.net/manual/en/function.mysql-escape-string.php. Consider using http://php.net/manual/en/book.pdo.php it has method prepare which prepare sql statement and it's often better and its OOP. (I guess you are using mysql_* functions)

CappY
  • 1,510
  • 1
  • 17
  • 32
0

I think you should look at at addslashes and stripslashes

Example

$text = "I\'m hiking in Colorado\'s Mountains." ;
echo stripslashes($text);

Output

I'm hiking in Colorado's Mountains.
Baba
  • 94,024
  • 28
  • 166
  • 217
0

You need to verify the following PHP configuration setting:

This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

My suggestion: Upgrade your PHP version to 5.4.x, this problem will go away and you profit from many other new features.

hakre
  • 193,403
  • 52
  • 435
  • 836