[ACCEPTED]-PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes-stripslashes

Accepted answer
Score: 83

Best Solution

In your php.ini file, odds are that the 14 magic_quotes_gpc directive is set to on. This should be 13 disabled for security reasons. If you don't 12 have access to the php.ini file (eg. on 11 a shared host), you can always accomplish 10 the same using an .htaccess directive (assuming 9 this is an apache server).

In your php.ini

magic_quotes_gpc Off

In 8 an .htaccess file:

php_flag magic_quotes_gpc Off

Why is this happening?

The reason this is happening 7 is due to the following course of logic.

  1. A string that needs escaping is sent to the server.
    • This is my string. It's awesome.
  2. Magic Quotes escapes the apostrophe before it gets to your code.
    • This is my string. It\'s awesome
  3. mysql_real_escape_string now has two characters to escape, the backslash \\ as well as the apostrophe \'.
    • This is my string. It\\\'s awesome
  4. This new super-escaped string is stored in the database.
  5. When the string is retrieved from the database, it get's passed to stripslashes. This removes the two escapes added in step 3, but since one of the backslashes has been escaped stripslashes thinks it belongs.
    • This is my string. It\'s awesome

This 6 problem can really get out of hand when 5 you re-submit these strings to the database, as 4 each time the number of backslashes multiplies.

Alternative Solution

A 3 quick-and easy alternative would be to simply 2 remove the slashes added by magic_quotes before passing 1 the string to mysql_real_escape_string.

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);
Score: 3

When adding a string to the database, I'm 24 escaping it with mysql_real_escape_string() and the following gets 23 stored in the database:

<span style=\\\"text-decoration:underline;\\\">underline</span>

No it's not. When 22 you escape strings in a sql query, it is 21 only to transport the data in the query. The 20 database parses the query and stores the 19 data in the database, without any extra 18 slashes. Thus, when you retrieve data from 17 the database, you should not unescape anything. It's 16 a common misconception.

If you find that 15 there are excess slashes in the output, you 14 probably have magic quotes turned on. Turn them off.

Edit:

mysql> create table foo (bar text) ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO foo (bar) VALUES ("<span style=\\\"text-decoration:underline;\\\">underline</span>");
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM foo;
+-------------------------------------------------------------+
| bar                                                         |
+-------------------------------------------------------------+
| <span style=\"text-decoration:underline;\">underline</span> | 
+-------------------------------------------------------------+
1 row in set (0.00 sec)

As 13 you can see, the query has one more level 12 of escaping than the data appears within 11 the database and consequently how it comes 10 out when querying for it. In your case, what 9 is probably going on, is that you have magic quotes 8 turned on and then you escape strings before 7 embedding them in a query. This leads to 6 double-escaping, tampering your data. The 5 proper solution is to keep escaping strings 4 as you do, but turn off magic quotes. And 3 don't do anything on the data as it comes out 2 of the database. Beware that data already 1 in the system needs to be cleaned up first.

Score: 1

If get_magic_quotes_gpc() is off in SERVER, so only we can use 4

$data= mysql_real_escape_string($_POST['data']);

if get_magic_quotes_gpc() is on in SERVER, we have to use

$data= mysql_real_escape_string(stripslashes($_POST['data']));

otherwise 3 add two backslashes with your data.

Also 2 another solution is we can use stripslashes($data) while fetch 1 from datadase if we use only use mysql_real_escape_string($_POST['data']);

More Related questions