How to use mysqli_real_escape_string()?

Question

When i echo: mysqli_real_escape_string($dbc, '"conn"e"cting"');

It out put: \"conn\"e\"cting\" on both my remote and local server

which is how it supposed to be, but problem is, it is saving ["conn"e"cting"] to database in my local database, while saving [\"conn\"e\"cting\"] with the back slashes to my remote database. Should I configure my remote database? How? I'm using nearlyfreespeech's service.

Thanks!

This sounds like a `magic_quotes` issue. – Pekka Dec 12 '10 at 03:38 — Pekka, Dec 12 '10 at 03:38

score 4 · Accepted Answer · edited Jun 20 '20 at 09:12

4

Your remote php.ini has magic quotes enabled.

You can check by running...

var_dump(get_magic_quotes_gpc()); // True means it is enabled

It will escape all the GET, POST & COOKIE super globals automatically - but then escaping again will leave you with a slash that will be inserted.

Disable magic quotes on your server, or use a magic quotes disabler functions if disabling them in impossible.

Update

For the hell of it, here is one I just made up

if (get_magic_quotes_gpc()) {

   function stripSlashesRecursive($array) {
       $stripped = array();
       foreach($array as $key => $member) {
          if (is_array($member)) {
             $stripped[stripslashes($key)] = stripSlashesRecursive($member);
          } else {
              $stripped[stripslashes($key)] = stripslashes($member);
          }
       }

       return $stripped;
    }

    $globals = array('_GET', '_POST', '_COOKIE', '_REQUEST');
    
    foreach($globals as $global) {
       $$global = stripSlashesRecursive($$global);
    }



}

It works!

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 12 '10 at 03:39

alex

479,566
201
878
984

You should rephrase your first sentence, remote databases never have magic_quotes enabled... – Alix Axel Dec 12 '10 at 03:51
@alex: **remote** php.ini? Also, this code doesn't make much sense... You're cleaning GPC and assigning it to the $global variable, the problem is this variable is only defined *iff* `if get_magic_quotes_gpc()`. – Alix Axel Dec 12 '10 at 04:02
@Alix Axel Whoops, maybe I shouldn't program on Sundays... How does it look now? – alex Dec 12 '10 at 04:05
tried your code, didn't work. but it did point me to this code: http://www.php.net/manual/en/security.magicquotes.disabling.php thanks guys/girls. it's very much appreciated! – randomor Dec 12 '10 at 04:15
@alex: `array('$_GET', '$_POST', '$_COOKIE')` should be `array('_GET', '_POST', '_COOKIE')`, and I doubt that either one will work (see http://stackoverflow.com/questions/2077711/php-shorter-magic-quotes-solution). – Alix Axel Dec 12 '10 at 04:16
@Alix Axel Made that fix already buddy :) What do you mean you doubt it will work? [Am I doing something wrong?](http://codepad.org/5QD42xd1). – alex Dec 12 '10 at 04:19
@alex: Sorry, I linked to the wrong post (and hadn't refreshed this page)... I can't find the right one but I wrote a similar code in the past and I discovered that **you can't alter a superglobal using variable variables**, try it - that's the reason why I work each superglobal individually in my answer. – Alix Axel Dec 12 '10 at 04:24
@Alix Axel It worked for me, but I did assign the super globals myself. Edit: Tried it with `$_GET` and adding them in the address bar, and it worked perfectly :) – alex Dec 12 '10 at 04:26
@alex: `Please note that variable variables cannot be used with PHP's Superglobal arrays within functions or class methods.`: http://php.net/manual/en/language.variables.variable.php. – Alix Axel Dec 12 '10 at 04:27
@Alix Axel But I'm not within a function or class method? :P – alex Dec 12 '10 at 04:28
@Alix Axel Now you can stop picking on me :) – alex Dec 12 '10 at 05:27

score 1 · Answer 2 · answered Dec 12 '10 at 04:04

1

If you're running PHP 5.3, this should do the trick:

if ((get_magic_quotes_gpc() === 1) && (version_compare(PHP_VERSION, '5.3.0', '>=') === true))
{
    $_GET = json_decode(stripslashes(json_encode($_GET, JSON_HEX_APOS | JSON_HEX_QUOT)), true);
    $_POST = json_decode(stripslashes(json_encode($_POST, JSON_HEX_APOS | JSON_HEX_QUOT)), true);
    $_COOKIE = json_decode(stripslashes(json_encode($_COOKIE, JSON_HEX_APOS | JSON_HEX_QUOT)), true);
    $_REQUEST = json_decode(stripslashes(json_encode($_REQUEST, JSON_HEX_APOS | JSON_HEX_QUOT)), true);
}

answered Dec 12 '10 at 04:04

Alix Axel

151,645
95
393
500

I am using PHP 5.3.1, and I got `NULL` when running an array with escaped chars through. – alex Dec 12 '10 at 04:18
@alex: I just turned `register_globals` on and tested it again on the `$_GET` superglobal. Worked just fine on PHP 5.3.1... – Alix Axel Dec 12 '10 at 04:33
2

What's the deal with the JSON? – sagi Jul 18 '11 at 21:25

score 0 · Answer 3 · answered Jul 18 '11 at 21:13

I think an easier solution is to set the php.ini directive for runtime magic quotes to 0 in your script, like so:

ini_set('magic_quotes_runtime', '0');

Magic_quotes_gpc is a separate directive which only applies to Get/Post/Cookie operations, Axil. The ini_set() function can be used to change php.ini settings temporarily(the lifetime of the script). It will ensure that you get the same behavior across all servers. the parameters are the name of the directive you want to set and the new value, both in the form of strings.

Good luck!

How to use mysqli_real_escape_string()?

3 Answers3

Update