PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes

by

Best Solution

In your php.ini file, odds are that the magic_quotes_gpc directive is set to on. This should be disabled for security reasons. If you don’t have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).

In your php.ini

magic_quotes_gpc Off

In an .htaccess file:

php_flag magic_quotes_gpc Off

Why is this happening?

The reason this is happening is due to the following course of logic.

  1. A string that needs escaping is sent to the server.
    • This is my string. It's awesome.
  2. Magic Quotes escapes the apostrophe before it gets to your code.
    • This is my string. It\'s awesome
  3. mysql_real_escape_string now has two characters to escape, the backslash \\ as well as the apostrophe \'.
    • This is my string. It\\\'s awesome
  4. This new super-escaped string is stored in the database.
  5. When the string is retrieved from the database, it get’s passed to stripslashes. This removes the two escapes added in step 3, but since one of the backslashes has been escaped stripslashes thinks it belongs.
    • This is my string. It\'s awesome

This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.

Alternative Solution

A quick-and easy alternative would be to simply remove the slashes added by magic_quotes before passing the string to mysql_real_escape_string. 

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);

More Related Contents:

  1. Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
  2. Shortcomings of mysql_real_escape_string?
  3. Alternative to mysql_real_escape_string without connecting to DB
  4. mysql_escape_string VS mysql_real_escape_string
  5. Do I have to use mysql_real_escape_string if I bind parameters?
  6. Should I use mysqli_real_escape_string or should I use prepared statements? [duplicate]
  7. Convert seconds into days, hours, minutes and seconds
  8. How to fix “Headers already sent” error in PHP
  9. How to remove accents and turn letters into “plain” ASCII characters? [duplicate]
  10. Simple example to post to a Facebook fan page via PHP?
  11. Transform relative path into absolute URL using PHP
  12. how to replace a particular line in a text file using php?
  13. What’s the difference between ‘isset()’ and ‘!empty()’ in PHP?
  14. What is the default lifetime of a session?
  15. Get the first N elements of an array?
  16. How to install ffmpeg for PHP
  17. Regexp to add attribute in any xml tags
  18. PHP POST not working
  19. “slash before every quote” problem [duplicate]
  20. Remove index.php?route=common/home from OpenCart
  21. Split alphanumeric string between leading digits and trailing letters
  22. How to determine the memory footprint (size) of a variable?
  23. PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?
  24. ERROR 403 in loading resources like CSS and JS in my index.php
  25. How to get page number on dompdf PDF when using “view”
  26. Mysql password expired. Can’t connect
  27. Get Start and End Days for a Given Week in PHP
  28. display only 3 foreach result per row
  29. How do I get the byte values of a string in PHP?
  30. PHP using Declare ? What is a tick?

Leave a Comment