Reputation: 172
PHP Delimiting Quotation marks
I'm working on a PHP comment system and came across the problem that the commentator's quotation marks are delimited when written to the comment file, so the output would end up like this for example: "That is your father\'s! It\'s special to him!" (random sentence). How do I disable this?
Upvotes: 0
Views: 135
Answers (4)
Reputation: 104110
Those backslashes are there to escape the quotation marks from the SQL engine.
That style of programming is quite common with the mysql_* series of functions which take a string directly from the program and execute it directly in the database engine. This is notoriously prone to SQL injection attacks and, as you've discovered, corrupting your data. (When applied consistently, you can always de-corrupt the data on the way back to the user, with the stripslashes() function, but that also must be done consistently.)
The far better approach in my humble opinion is to use prepared statements and let the database libraries insert data directly into the database without any escaping or un-escaping involved. This also completely removes the risk of SQL injection attacks. (Though you're still free to write insecure code.)
Upvotes: 0
Reputation: 1254
It depends on version of PHP and it's configuration. Older versions (older than 5.3) had this enabled by default. It adds the quotes when you post your comment (so it will be stored in the database with the quotes). You can disable this behavior:
http://cz.php.net/manual/en/function.get-magic-quotes-gpc.php
http://cz.php.net/manual/en/function.set-magic-quotes-runtime.php
http://cz.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
For existing comments, you'll have to run some cleanup script that will fetch all rows, performs stripslashes() on it and save it back.
Escaping your queries should be done by mysql_real_escape() anyway, relying on magic quotes is suicide, so if you think about it, it's safer to turn them off completely and escape the queries manually.
Upvotes: 1
Reputation:
The backslashes are added to the database query to prevent SQL injection. You can use the stripslashes() function to remove them when you retrieve the comments from the database.
You should also take a look at magic quotes.
Upvotes: 1
Related Questions
- How to securely use delimited values from a string in an SQL query's WHERE IN condition?
- Escaping quotation marks in PHP
- php quotation mark is not working
- Using multiple quotations in PHP codes
- php echo quotation marks error
- Remove quotation marks from variable
- php apostrophe and quotations
- Complicated case of escaping quotation marks
- php single and double quotes
- php quotation strip