0

I am using MySQL and PHP to manage my data on my website.

I have a paragraph typed in TeX format which so many mathematical formulas. I want to insert in my database and retrieve the same in some other place.

While retrieving I am using mathjax to display the mathematical part. Problem is while inserting the data.

When I am inserting the data 

$\int f d\mu $ ( Note that this '\' is required to run the math formula)

I am getting the inserted data as

$\\int f d \\mu $

There two backslashes instead of one.

How to prevent the backslashes which are added every time with the manually added backslashes (which is required).

Will the stripslashes() help or any other solutions?

Thanks in advance.

<form action="" method="POST">



<input type="hidden" name="id" value=<?php echo $print->Id; ?> >

<table class="speaker-abstract" style="width:49%; float:left;">

  <tr>

  <th> Update the Abstract Details Here </th>
  </tr>

<tr>
<td>
<label> Title of the Talk </label>
<input  style="width:95%" type="text" name="title1"  value="<?php echo $print->title_of_the_talk1; ?>">
</td>


</tr>

<tr>
<td> 
<label> Abstract of the Talk (Type in TeX format) </label>

 <textarea style="width:95%" name="abstract1"  rows="10"  ><?php echo $print->Abstract1; ?></textarea>

 </td>

 </tr>

  </table>

  <table class="speaker-abstract" style="width:49%; float:left;">
  <tr>

  <th> If any other, update the Abstract Details Here </th>
  </tr>

<tr>
<td>
<label> Title of the Talk </label>
 <input style="width:95%" type="text" name="title2" value="<?php echo $print->title_of_the_talk2; ?>">
</td>

</tr>

<tr>
<td> 
<label> Abstract of the Talk  (Type in TeX format) </label>
 <textarea style="width:95%" name="abstract2"  rows="10"  > <?php echo $print->Abstract2; ?> </textarea>

 </td>

 </tr>

  </table>

 <input style="float:right;" type="submit" name="update_abstract" value="Submit/Update"> 

</form>

and the php code to submit the form and display the data is the following.

<?php

$success_msg="Updated Successfull !!!";
$search= "Search the Speaker Here";

if (isset($_POST['update_abstract'])){
$id=$_POST['id'];
$title1=$_POST['title1'];
$title2=$_POST['title2'];
$abstract1=$_POST['abstract1'];
$abstract2=$_POST['abstract2'];

$update=$wpdb->update( 
    'Invited_Speakers_auto', 
    array( 
        'title_of_the_talk1' => $title1,
        'title_of_the_talk2' => $title2,
        'abstract1' => $abstract1,
        'abstract2' => $abstract2

    ), 
    array( 'id' => $id )

);
if ($update==true){

echo $success_msg.$abstract1;

}else
{
 $success_msg="There is an error in the update";
}

}
?>

PS:

  1. Kindly note that, I need the slash which is inserted by the user, I just have remove the slashes which are automatically inserted while sql insertion happens.

  2. stipslashes() Helps me in removing the added slashes in the output.

but I want to remove the backslashes while insertion itself.

David
  • 524
  • 1
  • 7
  • 24
  • 3
    Can we see the code? You could preg_replace all slashes in the variable data and replace them with nothing to remove them. It's escaping the slash. – clearshot66 Sep 13 '17 at 16:32
  • How are you inserting this data into your database and later displaying it? Where are these extra characters coming from in the first place? – David Sep 13 '17 at 16:32
  • stripslashes will help you . it delete all added slash – abderrahime sanadi Sep 13 '17 at 16:33
  • Show us the code. – Sammitch Sep 13 '17 at 17:15
  • Inside a double-quoted string you'll see those as being doubled, so maybe it's not a concern. What code do you use for insertion? How are you fetching the data? How are you displaying the fetched data? Using `stripslashes` is probably the wrong thing to do unless you're repairing damage. – tadman Sep 13 '17 at 17:31
  • I think if you use MySqli or PDO with prepared statement and placeholder, you don't need these backslashes or escaping characters. – Navid Sep 14 '17 at 03:55
  • @NMoeini Kindly explain. – David Sep 14 '17 at 03:56
  • @gloom, I have added my suggestion as an answer. – Navid Sep 14 '17 at 04:57
  • @NMoeini Dear Moeini, thank you for the answer. I am wordpress for my website, could you correct my code only since I am newbie for php and sql?? – David Sep 14 '17 at 05:22
  • Updated my answer! Try to use `mysql_real_escape_string` or use `htmlentities` and then `html_entity_decode` when retrieved. – Navid Sep 14 '17 at 05:37

1 Answers1

0

You can use MySqli or PDO with prepared statement. This is the best known method for sql injection prevention by the way. Learn more about Sql Injection Prevention from this fantastic answer!

Following code successfully inserts the string into MySql Database and reads from it. Hope it helps!

 <?php
    $_user = 'root';
    $_password= 'root';
    $_db = 'localtest';
    $_host = 'localhost';
    $_port = 3306;
    $con = new mysqli($_host, $_user, $_password, $_db) or die(mysql_error);

    $new = '$\int f d\mu $';

        //insert into mysql table
        $sql="INSERT INTO test (math) VALUES (?); ";
        $stmt = $con-> prepare($sql);
        $stmt -> bind_param("s", $new);
        $stmt -> execute();

    // Reading From DB
    $id = 1;
    $sql="SELECT math FROM test WHERE id = ?";
    $stmt = $con->prepare($sql);
    $stmt->bind_param("i", $id);
    $stmt -> execute(); 
    $stmt->store_result();
    /* Get the number of rows */
    $num_of_rows = $stmt->num_rows;

    /* Bind the result to variables */
    $stmt->bind_result($new);

    if($num_of_rows < 1){ 
        echo "Can't find any record!"; 
        mysqli_close($con); 
        exit();
    }
    while ($stmt->fetch())
    {
        echo $new . PHP_EOL;

        /* free results */
        $stmt->free_result();

    }
    mysqli_close($con); 
    exit();
   ?>

Update

If you can't use PDO or MySqli then mysql_real_escape_string can help you properly escape special characters.

You can also try to use htmlentities before inserting into database and then html_entity_decode when retrieved.

Navid
  • 894
  • 7
  • 14