mysql_real_escape_string()

hey well im programming a CMS just for practice, and ive run into a problem when i use mysql_escape_string to escape any illgeal characters it works fine but when i then get the information from the database and echo it onto the page the slashes are still there does anyone know how to avoid this ?

heres the code i used just a simple loop

$sql = "SELECT * FROM `blog`";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "{$row['id']}";
echo "{$row['title']}";
echo "{$row['content']}" . '<br>';
} 

Code (markup):

 

Use this instead:

$sql = "SELECT * FROM blog";
$result = mysql_query($sql) or die('MySQL Error.');
while($row = mysql_fetch_array($result))
{
echo $row['id'];
echo $row['title'];
echo $row['content'] . '<br />';
}

Code (markup):

But still...you didn't show us where you're using the mysql_escape_string function

 

Use stripslashes().

 

that hasn't managed to remove any of the slashes !

 

yeah i got it working with something liker this:

echo "$title <br> $content";
$sql = "SELECT * FROM `blog`";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result))
{
$title = "{$row['title']}";
print stripslashes($title);

 

$sql = "SELECT * FROM `blog`";
$result = mysql_query($sql) or die ('Mysql Error') . mysql_error();
while($row = mysql_fetch_array($result))
{
$title = "{$row['title']}";
print stripslashes($title);
$content = "{$row['title']}";
print stripslashes($content);
}

so thats the code i got working, just to tidy up can anyone think of any other ways to maybe inprove it ?

 

Yes. If you want to protect your site, don't echo the errors ( don't use mysql_error(); ).
Then, you don't need to use $title = "{$row['title']}";. Simply just use $title = stripslashes($row['title']); and same thing with the content.
The third thing would be to use echo instead of print. It's better. Enjoy

 

How did you use stripslashes().

 

Hey, your PHP installation has magic quotes installed so it adds slashes to all the incoming form fields automatically, in order to fix this issue you will have to strip the slashes once when the form was submitted and this way you will avoid calling stripslashes anytime you want to show the info, that is you will only call it once.

You will need something like this on top of your form processing script:

if (get_magic_quotes_gpc()) {
   function ___stripslashes($value)
   {
       $value = is_array($value) ?
                   array_map('___stripslashes', $value) :
                   ___stripslashes($value);

       return $value;
   }
	
   $_REQUEST 	= array_map('___stripslashes', $_REQUEST);
   $_COOKIE 	= array_map('___stripslashes', $_COOKIE);
	$_POST 		= array_map('___stripslashes', $_POST);
	$_GET 		= array_map('___stripslashes', $_GET);	
	
}

PHP:

This will only run if MQ is enabled so it will make your script more portable...

 

hey well ive tried doing a similiar function to use strip slashes like this so this is my function.

   function strip_slashes($value)   {
       $value = stripslashes($value); 
       return $value;
   }

Code (markup):

and to use the function of variables i have done it like this

strip_slashes($title);

but for some reason it isn't working can anyone think what i have done wrong ?