Home/ Questions/Q 262301
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T22:30:15+00:00

The code below allows the user to enter in a phrase in plain English,

  • 0

The code below allows the user to enter in a phrase in plain English, which is then added to a database as “$site”. If the user enters in an apostrophe, the phrase is stored with a backslash in front of the apostrophe. How can I get the variable “$site” to be added to the database without backslashes in front of apostrophes?

print "<div class=\"siteadd\">
          <form action='process.php?find=$find1' method='post'>
              Add a book to this topic: <input name='site' type='text' size='50'>
              <input type='submit' value='Submit'>
          </form>
       </div>";

Then, in process.php:

$site = str_replace($remove_array, "", $_POST['site']);
$site = strtolower($site);
$site = mysql_real_escape_string($site);
$illegal = array("/", "\"");
$site = str_replace($illegal, '', $site);

mysql_query("INSERT INTO `$find` VALUES (NULL, '$site',1,0)");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I assume the backslash is added by PHP for security reasons. Read more about magic quotes. And since you’re using the proper function to escape strings passed to mysql queries, you don’t have to rely on PHP’s dummy escaping.

    At the beginning of the script, check if magic_quotes are on, and if so, remove the slashes:

    if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

    BTW, in your code, $find variable comes from an untrusted source and should be escaped/filtered as well.

    • 0