I am submitting a form to my MySQL database using PHP.
I am sending the form data through the mysql_real_escape_string($content) function.
When the entry shows up in my database (checking in phpMyAdmin) all of my double quotes and single quotes are escaped.
I'm fairly certain this is a PHP configuration issue?
so:
$content = 'Hi, my name is Jascha and my "favorite" thing to do is sleep';
mysql_real_escape_string($content);
$query = 'INSERT INTO DB...'
comes up in my database as:
Hi, my name is Jascha and my \"favorite" thing to do is sleep
Who do I tell what to do? (I cannot access the php.ini).
You need to take magic quotes into account when retrieving request data. If get_magic_quotes_gpc() is true, then you need to run stripslashes() on the input. Best way would be to write a function for that. Something like:
function get_string($array, $index, $default = null) {
if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
return get_magic_quotes_gpc() ? stripslashes($value) : $value;
} else {
return $default;
}
}
..which you can use as
$input = get_string($_POST, 'input');
..instead of
$input = $_POST['input'];
Do the same for trivial stuff like get_number(), get_boolean(), get_array() and so on.