1

I've been for hours trying everything to get a simple title with apostrophe insert on database... but it simple don't want to works.

I've always used the php function (below) and it used to work... but in this case it is not working at all.

I have the following:

$GameArray = mysql_fetch_array($QGame);
$FixTitle = PHP_slashes($GameArray['Title']); // should retrive "Assassin's Creed IV"

But it don't work. I don't understand why. If I post some content with apostrophe and do it like:

PHP_slashes($_POST['content_with_apostrophe']);

It works.

Below is the PHP_slashes() function for reference.

function PHP_slashes($string,$type='add')
{
    if ($type == 'add')
    {
        if (get_magic_quotes_gpc())
        {
            return $string;
        }
        else
        {
            if (function_exists('addslashes'))
            {
                return addslashes($string);
            }
            else
            {
                return mysql_real_escape_string($string);
            }
        }
    }
    else if ($type == 'strip')
    {
        return stripslashes($string);
    }
    else
    {
        die('error in PHP_slashes (mixed,add | strip)');
    }
}
user2840318
  • 1,047
  • 2
  • 9
  • 14
  • 9
    Stop using the mysql functions. They're deprecated and obsolete. Switch to mysqli or PDO, use a prepared statement with placeholders, and this problem basically goes away. As well, addslashes has **NEVER** been a safe way of escaping data for SQL services. It's like using mosquito netting as a condom... utterly pointless. – Marc B Oct 07 '13 at 21:56
  • 2
    This is some really scary escaping. You should turn magic_quotes off and use `mysql_real_escape_string()`. And then use `mysqli_*` instead of `mysql_*` but that's [**another topic**](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). – Sébastien Oct 07 '13 at 21:56
  • You're escaping *after* you've inserted into the database? – Waleed Khan Oct 07 '13 at 21:57
  • @Waleed Khan - I am getting a title from database... and then trying to insert it in a different table. – user2840318 Oct 07 '13 at 22:00
  • 1
    I think you could use mysqli and prepared statements, which will take care of all that escaping... – joe42 Oct 07 '13 at 22:10
  • I am using prepared statements on the main website... this old mysql stuff is in the backoffice... it is so old and huge that would take forever to upgrade... just wanted some temporary solution to make this works... for now. – user2840318 Oct 07 '13 at 22:14
  • What doesn't work about it? Do you get errors? – showdev Oct 07 '13 at 22:44
  • Apparently it doesn't add the slash if it is on a field that come from database... how weird that can be. – user2840318 Oct 07 '13 at 23:10
  • Are you sure it's an apostrophe and not some character that sort of looks like one? – miyasudokoro Oct 07 '13 at 23:15

0 Answers0