1

I'm moving an HTML form from development (localhost) to production and initial testing has identified a problem with escape characters appearing in the production MySQL database that dont appear in the localhost database.

I'm using mysql_real_escape_string to escape characters in the form processing file and in the localhost database these are saved correctly and all you see is the apostrophe or quote symbol.

Once moved to production however, the form still processes correctly, but the database record now has the backslash escape character in front of the apostrophe or quote symbol. When the record is printed the backlash appears and this won't be acceptable.

Nothing else appears to be different, except localhost and production are running different versions of MySQL (localhost is running 5.5.24-log and production is running 5.0.95-log). I have no control over the production version as it is managed by the ISP, so I'm hoping this isn't the problem.

Hopefully this makes sense? Any help greatly appreciated.

Hank
  • 13
  • 2
  • 3
    Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide. – Jay Blanchard Oct 28 '14 at 17:30
  • Did you check the PHP configurations? – Ignacio Vazquez-Abrams Oct 28 '14 at 17:30
  • 1
    Add on `stripslashes()` or get with prepared statements. – Funk Forty Niner Oct 28 '14 at 17:31
  • Sounds like they're using a terrifyingly old version of PHP that has [magic quotes](http://php.net/manual/en/security.magicquotes.php) turned on. These were proven to be an extremely bad idea and have been removed from modern versions of PHP. You really should switch to a different host if they're this far behind. – tadman Oct 28 '14 at 17:35

1 Answers1

1

The solution to this is using stripslashes() before displaying the output

$text = "Don\'t use mysql_* and use mysqli or PDO instead";
echo stripslashes($text); // would echo it out without the backslash

As an alternative, you can start using prepared statements which is the best practice for dealing with user input and database, which would also save you the hussle of having to escape all quotes, and stripping the backslashes before displaying them.

Ali
  • 3,479
  • 4
  • 16
  • 31
  • Thanks for the interim solution, which works just fine for this use case and I will investigate prepared statements for future projects – Hank Oct 28 '14 at 18:10