phpmysql-real-escape-stringmagic-quotes-gpc

Quote and slash issue in PHP


Every time i try to update my textarea and inside the textarea I add a quote ", after i update i get 1 \, i update again i get 3 slashes \\\, again 5 slashes and so on. Tried adding in php ini the the 3 codes to disable the magic quotes but nothing:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Added also in the root folder and the folder where the file is located. Also tried this https://www.php.net/manual/en/security.magicquotes.disabling.php example 2 and first comment and still nothing.

This is my code:

PHP

$username=$_SESSION['username'];
$viewtopic = $_GET['viewtopic'];
if ($_POST['edit'] && strip_tags($_POST['topictext'])){
  $viewtopic = $_POST['id'];
  $topictext=mysql_real_escape_string(strip_tags($_POST['topictext']));
  $title=mysql_real_escape_string(strip_tags($_POST['title']));
  mysql_query("UPDATE topics SET topictext=".quote_smart($topictext).", title=".quote_smart($title)." WHERE id=".quote_smart($viewtopic)."");
  echo "You have updated your topic!";
}

HTML

<textarea name="topictext" rows="2" cols="20" id="main_tbContent" class="TextBox" style="height:128px;width:99%;"><? echo str_replace("\\r\\n","\r\n",$rows['topictext']); ?></textarea><br />

Solution

  • Okay, in my code for my database entries, this is what I do. Let me start by saying that I always send via POST method to avoid browser url complications.

    When I get the POST data, this is my code.

        $ID = 1;
        $DATA = htmlentities(addslashes($_POST['data']));
        $FIELD = lifename;
        $DBQUERY = "UPDATE `lifetable` SET `$FIELD` = '$DATA' WHERE `id` = $ID";
        $DBRESULT = $MYSQLI->query($DBQUERY);
    

    When I ask for the information back in a select query, I do not do anything special, all I do is a normal fetch_assoc or fetch_array with no functions at all. This always works for both input values and textareas.

    This should be yours:

    mysql_query("UPDATE topics SET topictext='".htmlentities(addslashes($topictext))."', title='".htmlentities(addslashes($title))."' WHERE id='$viewtopic'");
    

    And do not forget your single quotes when passing text data as a value in mysql. I added them.

    I am currently using this on my local site.

    Also, please remove all instances of mysql_real_escape_string functions.