stripslashes not working when insert into database table

Question

when i try to run this code :

<?php
$str = "Patty O'Furniture";
if(get_magic_quotes_gpc())
    echo stripslashes($str);
?>

the output is Patty O'Furniture but when i try to run this code(upload data into database table)

<?php
if ($_FILES[csv][size] > 0) {

    //get the csv file
    $file = $_FILES[csv][tmp_name];
    $handle = fopen($file,"r");

    //loop through the csv file and insert into database
    do {
        if ($data[0]) {
            if(get_magic_quotes_gpc())
            mysql_query("INSERT INTO sms_recipient (store_id, recipient_name, recipient_phone) VALUES
                (
                    '".$login_id."',
                    '".stripslashes($data[0])."',
                    '".stripslashes($data[1])."'
                )
            ");
        }
    } while ($data = fgetcsv($handle,1000,",","'"));
    //
}
?>

the output only Patty O . (see screenshot)

i'm not sure why when i try to save data into database using function stripslashes it's not working.

Answer 1

What you are seeing is the basis for SQL Injection. Your input is not escaped at all once you remove the slashes. Imagine what would happen if an attacker provided an input string that closed your query and began a new one with '; UPDATE users SET password WHERE username="admin"?

At the very least, you need to escape your input with mysql_real_escape_string, but really you need to stop using the mysql extension. Use prepared statements of the mysqli extension instead.

Answer 2

Because you're undoing what magic_quotes is trying to do.

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

So you're removing the backslashes via stripslashes that are being added, and shorting the query when it hits the ' in O'Furniture

Answer 3

use mysql_real_escape_string() function instead of stripslashes()

or

Try to avoid mysql_* functions, Try to use mysqli or PDO