Escaping single quotes

Question

Hangfire 4 Junior Poster in Training

14 Years Ago

Hi,
I've got a "contact us" form on my website and naturally i'm trying to guard against sql injection/hacking

The body of the text gets run through the below function, however this means i end up with
How's it going = How\'s it going

Can someone tell me which part of the function causes this and a work around?

Thank you

function check_input($value)
{
	if (get_magic_quotes_gpc())
	{
		$value = trim(stripslashes($value));
	}
	if (!is_numeric($value))
	{
		$value = trim(stripslashes($value));
		$value = mysql_real_escape_string($value);
	}
	return $value;
}

php

2 Contributors
2 Replies
126 Views
6 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by Hangfire

diafol

14 Years Ago

If you're placing this into a db, it should be mysql_real_escape_string(). If you find the quotes are slashed within the db - that's correct. You just stripslash the db output when you want to display the data. I don't really understand the problem.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Hangfire 4 Junior Poster in Training · Answer 1 · 2010-02-19T17:02:00+00:00

Ahhhhh I see, so when stored in a database the slashes are expected. When you display the values you strip the slashes.

So as I'm emailing the results I need to strip the slashes before sending to make it readable.

Thanks, that helped.