Hi,
I've got a "contact us" form on my website and naturally i'm trying to guard against sql injection/hacking

The body of the text gets run through the below function, however this means i end up with
How's it going = How\'s it going

Can someone tell me which part of the function causes this and a work around?

Thank you

function check_input($value)
{
	if (get_magic_quotes_gpc())
	{
		$value = trim(stripslashes($value));
	}
	if (!is_numeric($value))
	{
		$value = trim(stripslashes($value));
		$value = mysql_real_escape_string($value);
	}
	return $value;
}
Member Avatar for diafol

If you're placing this into a db, it should be mysql_real_escape_string(). If you find the quotes are slashed within the db - that's correct. You just stripslash the db output when you want to display the data. I don't really understand the problem.

Ahhhhh I see, so when stored in a database the slashes are expected. When you display the values you strip the slashes.

So as I'm emailing the results I need to strip the slashes before sending to make it readable.

Thanks, that helped.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.