How can I control the stripslashes() and addslashes()

Bile 10 Newbie Poster

9 Years Ago

-I have some codes written in native mysql and so I've been working on changing Myself to mysqli (I managed the procedural way and so I decided to Move forward with OOP ways) and came accross the use of Prepare Function.
-Now the problem is I have a page where I can retrieve My Profile Information for Update.The Function For retrieval is this one:

private function Profile_Information($MySqli,$Full_Name,$Gender,$idDetail,$Image_Name)
        {
        $Sql="SELECT Birth_Date,Education,Mobile_Number,Email_Address,Postal_Address,Physical_Address,Company_Name,Title,Personal_Bio FROM  user_profile WHERE idDetail=?";
        $Query=$MySqli->prepare($Sql);
        $Query->bind_param("i",$idDetail);
        $Query->execute();
        $Query->bind_result($Birth_Date,$Education,$Mobile_Number,$Email_Address,$Postal_Address,$Physical_Address,$Company_Name,$Title,$Personal_Bio);
        $Find=$Query->fetch();

            /*
            I'LL ONLY EXPALIN THE FOLLOWING LINE AND THAT IS WHAT IS DONE ALL THE WAY
            THE RESULTS OF $Query->bind_result() FOR EXAMPLE $Full_Name IS ASSIGNED TO 
            MY INPUT FIELD txtFull_Name IN AN ARRAY GLOBAL VARIABLE $_REQUEST[""] AND TO
            A DECLARED PUBLIC VARIABLE $this->Full_Name,SO THE INPUT FIELD ON MY PAGE WILL
            HOLD THE RESULTING USER $Full_Name FROM THE DATABASE
            */
            $this->Full_Name=$_REQUEST["txtFull_Name"]=$Full_Name;
            $this->Gender=$Gender;
            $this->Image_Name=$_REQUEST["User_Picture"]=$Image_Name;

            if($Find)
            {
                if($Birth_Date=="")
                {
                $this->Birth_Date="<i style='color:#F00'>Consider giving Your Birth Date</i>";
                }
                elseif($Birth_Date!="")
                {
                $Day=date("d",strtotime($Birth_Date));
                $Month=date("m",strtotime($Birth_Date));
                $Year=date("Y",strtotime($Birth_Date));
                /*The Month_Interpretor() is defined alredy so No wories*/
                $Month_Name=$this->Month_Interpretor($Month);
                $this->Birth_Date=$Day." ".$Month_Name." - ".$Year;
                $_REQUEST["txtBirth_Date"]=date("m/d/Y",strtotime($Birth_Date));
                }

                if($Education=="")
                {
                $this->Education="<i style='color:#F00'>Consider giving Your Education Information</i>";
                }
                elseif($Education!="")
                {
                /*THIS IS THE INTERESTING PART I USED THE stripslashes() JUST IN CASE
                THERE ARE SPECIAL CHARACTES LIKE ' WITH THE ADDEDSLASHES*/
                $this->Education=$_REQUEST["txtEducation"]=stripslashes($Education);
                }

                if($Mobile_Number=="")
                {
                $this->Mobile_Number="<i style='color:#F00'>Consider giving Your Mobile Number Contacts</i>";
                }
                elseif($Mobile_Number!="")
                {
                $this->Mobile_Number=$_REQUEST["txtMobile_Number"]=$Mobile_Number;
                }

                if($Email_Address=="")
                {
                $this->Email_Address="<i style='color:#F00'>Consider giving Your Email Address</i>";
                }
                elseif($Email_Address!="")
                {
                $this->Email_Address=$_REQUEST["txtEmail"]=$Email_Address;
                }


                if($Postal_Address=="")
                {
                $this->Postal_Address="<i style='color:#F00'>Consider giving Your Postal Address</i>";
                }
                elseif($Postal_Address!="")
                {
                $this->Postal_Address=$_REQUEST["txtPostal_Address"]=$Postal_Address;
                }

                if($Physical_Address=="")
                {
                $this->Physical_Address="<i style='color:#F00'>Consider giving Your Physical Address</i>";
                }               
                elseif($Physical_Address!="")
                {
                $this->Physical_Address=$_REQUEST["txtPhysical_Address"]=$Physical_Address;
                }

                if($Company_Name=="")
                {
                $this->Company_Name="<i style='color:#F00'>Consider giving the Company You work for</i>";
                }                               
                elseif($Company_Name!="")
                {
                $this->Company_Name=$_REQUEST["txtCompany_Name"]=$Company_Name;
                }

                if($Title=="")
                {
                $this->Title="<i style='color:#F00'>Consider giving the Title of Your Job</i>";
                }           
                elseif($Title!="")
                {
                $this->Title=$_REQUEST["txtJob_Title"]=$Title;
                }

                if($Personal_Bio=="")
                {
                $this->Personal_Bio="Consider giving Your Personal Bio";
                }
                elseif($Personal_Bio!="")
                {
                /*THIS IS THE INTERESTING PART I USED THE stripslashes() JUST IN CASE
                THERE ARE SPECIAL CHARACTES LIKE ' WITH THE ADDEDSLASHES*/
                $this->Personal_Bio=$_REQUEST["txtPersonal_Bio"]=stripslashes($Personal_Bio);
                }
            }
            else
            {
            $this->Birth_Date=$this->Education=$this->Mobile_Number=$this->Email_Address=$this->Postal_Address=$this->Physical_Address=$this->Company_Name=$this->Title="<i style='color:#F00'>Consider giving this Information</i>";
            $this->Personal_Bio=$this->Full_Name."'s Personal Bio is not set yet";
            }

        $Query->close();
        }

Now suppose I Only Change the Name and leave all other Values as they are,and it happende that in My Education there is a statement lik:My College's name is Daniweb.If I post this to Update Only the name the Education and Personal Bio's Special characters are added with Slashes and when I retrieve again the value becomes like this:My College\'s name is Daniweb.And this persist for every update process despite having My Inputs to be checked and sanitized with this Function:

public function Purifier($MySqli,$Form_Input) 
{
$Form_Input = trim($Form_Input);
$Form_Input = stripslashes($Form_Input);
$Form_Input = htmlspecialchars($Form_Input);
$Form_Input = $MySqli->real_escape_string($Form_Input);
/* $Form_Input = filter_input(INPUT_POST,$Form_Input, FILTER_SANITIZE_SPECIAL_CHARS); */
return $Form_Input;
}

Which is called here with this Update Function:

private function User_Profile_Updator($MySqli,$idDetail,$Page,$Profile_Operation,$dbDetails_Changes,$dbImage_Changes)
        {
        $Input_Purifier=new Securities_Set();

        /*DONT MENSION OTHER VARIABLES NOT BEING USED IN Sql I REDUCED THE LOAD*/

        $this->Personal_Bio=$Input_Purifier->Purifier($MySqli,$_POST["txtPersonal_Bio"]);
        $Full_Name=$Input_Purifier->Purifier($MySqli,$_POST["txtFull_Name"]);
        $this->Gender=$Input_Purifier->Purifier($MySqli,$_POST["Gender"]);
        $this->Birth_Date=$Input_Purifier->Purifier($MySqli,$_POST["txtBirth_Date"]);
        $this->Education=$Input_Purifier->Purifier($MySqli,$_POST["txtEducation"]);
        $this->Mobile_Number=$Input_Purifier->Purifier($MySqli,$_POST["txtMobile_Number"]);
        $this->Email_Address=$Input_Purifier->Purifier($MySqli,$_POST["txtEmail"]);
        $this->Postal_Address=$Input_Purifier->Purifier($MySqli,$_POST["txtPostal_Address"]);
        $this->Physical_Address=$Input_Purifier->Purifier($MySqli,$_POST["txtPhysical_Address"]);
        $this->Company_Name=$Input_Purifier->Purifier($MySqli,$_POST["txtCompany_Name"]);
        $this->Title=$Input_Purifier->Purifier($MySqli,$_POST["txtJob_Title"]);

        $Sql="UPDATE user_profile SET Birth_Date=?,Education=?,Mobile_Number=?,Email_Address=?,Postal_Address=?,Physical_Address=?,
                                      Company_Name=?,Title=?,Personal_Bio=? WHERE idDetail=?";
        $Query=$MySqli->prepare($Sql);
        $Query->bind_param("sssssssssi",$this->Birth_Date,$this->Education,$this->Mobile_Number,$this->Email_Address,$this->Postal_Address,$this->Physical_Address,$this->Company_Name,$this->Title,$this->Personal_Bio,$idDetail);
        $Query->execute();
        $dbUser_Profile_Changes=$Query->affected_rows;

            if($dbUser_Profile_Changes!=0 && $dbUser_Profile_Changes!=-1)) 
            {
            $Query->close();
            }
    }

So thats it how can I get control of those Slashes?...

php

1 Contributor
0 Replies
87 Views

Be the first to reply

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.