Can someone help me store a string that has an apostrophe within it? I thought that using mysql_real_escape_string was supposed to add a slash when retrieving, but remove the slash before storing. Here is a portion of my code and then also the result of the data after it is stored:

$deceasedname = mysql_real_escape_string($_POST['deceasedname']);
$condolences = mysql_real_escape_string($_POST['condolences']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);

echo '<html><head><title>Codolence Request</title></head><body>
	 			<h2>Condolence Submission on:</h2><p> ' . date("h:i, jS F") . '</p>
				<p>New Condolence Request</p>
    			<table>
				<tr><td>Name of Contributor:</td><td>' . $fname . $lname.'</td></tr>
				<tr><td>Name of Deceased:</td><td>' . $deceasedname . '</td></tr>
    			<tr><td>Condolence: </td><td>' . $condolences  . '</td></tr>
				<tr><td>View from:</td><td><a href="http://diehlfuneralhome.com/admin/adminpages/forms/condolenceDisplay.php">Administrative pages</a></td></tr>
				 </table></body></html>';

After submitting the information with the name Anna O'Connell, here is the result:

Name of Deceased: Anna O\\\'Connell

I would like to display the name as i t

Recommended Answers

The mysql_real_escape_string is intented to be used when you include a variable into an sql statement. You are just displaying the result. That is why you are shown a value with the extra slashes.

The stripslashes function is the one that removes the slashes.

Jump to Post

Are you perhaps using the escape twice before storing the value in the db ? The slash shouldn't be in there.

Jump to Post

All 7 Replies

The mysql_real_escape_string is intented to be used when you include a variable into an sql statement. You are just displaying the result. That is why you are shown a value with the extra slashes.

The stripslashes function is the one that removes the slashes.

The mysql_real_escape_string is intented to be used when you include a variable into an sql statement. You are just displaying the result. That is why you are shown a value with the extra slashes.

The stripslashes function is the one that removes the slashes.

I thank you for this information, but I still have one slash. This is before:

Name of Contributor: O\\\'Donnel
Name of Deceased: Henry O\\\'Brien
Condolence: Don\\\'t know

And this is after I add the stripslashes function:

Name of Contributor: O\'Donnel
Name of Deceased: Henry O\'Brien
Condolence: Don\'t know

The mystery to me is that when I look in my database I see that the stored value only contains one backslash. I am thoroughly confused ????

Are you perhaps using the escape twice before storing the value in the db ? The slash shouldn't be in there.

Are you perhaps using the escape twice before storing the value in the db ? The slash shouldn't be in there.

Maybe you can see something that I am missing. Here is my complete PHP code:

<?php require_once('../../Connections/diehl.php'); 
// connect and select to database
mysql_select_db($database_diehl, $diehl);

$deceasedname = mysql_real_escape_string($_POST['deceasedname']);
$condolences = mysql_real_escape_string($_POST['condolences']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone1'])."-";
$phone .= mysql_real_escape_string($_POST['phone2'])."-";
$phone .= mysql_real_escape_string($_POST['phone3']);
$phone1 = mysql_real_escape_string($_POST['phone1']);
$phone2 = mysql_real_escape_string($_POST['phone2']);
$phone3 = mysql_real_escape_string($_POST['phone3']);
$submit = mysql_real_escape_string($_POST['send']);

$sql="INSERT INTO condolences (deceasedname, condolences, fname, lname, address, city, state, zip, email, phone, request_pk) VALUES ('$deceasedname','$condolences','$fname','$lname','$address','$city','$state','$zip','$email','$phone','$request_pk')"; 
if (!mysql_query($sql,$diehl)) {
 die('Error: ' . mysql_error()); 
} 

mysql_close($diehl);

// Prepare Message Body
	
	echo '<html><head><title>Codolence Request</title></head><body>
	 			<h2>Condolence Submission on:</h2><p> ' . date("h:i, jS F") . '</p>
				<p>New Condolence Request</p>
    			<table>
				<tr><td>Name of Contributor:</td><td>' . $fname . stripslashes($lname) .'</td></tr>
				<tr><td>Name of Deceased:</td><td>' . stripslashes($deceasedname) . '</td></tr>
    			<tr><td>Condolence: </td><td>' . stripslashes($condolences)  . '</td></tr>
				<tr><td>View from:</td><td><a href="http://diehlfuneralhome.com/admin/adminpages/forms/condolenceDisplay.php">Administrative pages</a></td></tr>
				 </table></body></html>';
     

    
	//  Redirect user to success page
	header("Location: ../../../successCondolence.php?name=" . $_POST['fname'] . " " . $_POST['lname']);
  
?>

Thanks in advance for any help!

Hey.

Perhaps your server has the magic_quotes feature enabled?
If you don't know, create a PHP file that contains only: <?php phpinfo(); ?> and look for magic_quotes_gpc in the output it generates.

If it is enabled, it will add extra slashes to quote-marks and back-slashes. A good way to nullify this effect is to add this to the top of your scripts:

if(get_magic_quotes_gpc()) {
    foreach($_POST as &$_elem) {
        $_elem = stripslashes($_elem);
    }
}

That will put them into their original state.


Also, keep in mind that the mysql_real_escape_string function is only meant to be used on data that is to be inserted into a MySQL query. Using it on data that is going into a HTML page is not a good idea, because the function escapes more than just quotes.

A better way is to use the htmlentities function on data that is going into a HTML page:

<?php
$sqlData = array();
$htmlData = array();

for($_POST as $_field) {
    $sqlData = mysql_real_escape_string($_field);
    $htmlData = htmlentities($_field, ENT_QUOTES); // See the third parameter in the manual if using UTF-8
}

$sql = "INSERT INTO stuff VALUES ('{$sqlData['field1']}', '{$sqlData['field2']}')";

$html =<<<HTML
<!DOCTYPE html>
<html>
    <head><title>{$htmlData['title']}</title></head>
    <body>
        <h1>{$htmlData['h1']}</h1>
        <p>{$htmlData['firstParagraph']}</p>
    </body>
HTML;
?>

Get my meaning?

P.S.
That's just an example. In a real-life situation, escaping all POST fields for both SQL and HTML would be wasteful.

Hey.

Perhaps your server has the magic_quotes feature enabled?
If you don't know, create a PHP file that contains only: <?php phpinfo(); ?> and look for magic_quotes_gpc in the output it generates.

If it is enabled, it will add extra slashes to quote-marks and back-slashes. A good way to nullify this effect is to add this to the top of your scripts:

if(get_magic_quotes_gpc()) {
    foreach($_POST as &$_elem) {
        $_elem = stripslashes($_elem);
    }
}

That will put them into their original state.


Also, keep in mind that the mysql_real_escape_string function is only meant to be used on data that is to be inserted into a MySQL query. Using it on data that is going into a HTML page is not a good idea, because the function escapes more than just quotes.

A better way is to use the htmlentities function on data that is going into a HTML page:

<?php
$sqlData = array();
$htmlData = array();

for($_POST as $_field) {
    $sqlData = mysql_real_escape_string($_field);
    $htmlData = htmlentities($_field, ENT_QUOTES); // See the third parameter in the manual if using UTF-8
}

$sql = "INSERT INTO stuff VALUES ('{$sqlData['field1']}', '{$sqlData['field2']}')";

$html =<<<HTML
<!DOCTYPE html>
<html>
    <head><title>{$htmlData['title']}</title></head>
    <body>
        <h1>{$htmlData['h1']}</h1>
        <p>{$htmlData['firstParagraph']}</p>
    </body>
HTML;
?>

Get my meaning?

P.S.
That's just an example. In a real-life situation, escaping all POST fields for both SQL and HTML would be wasteful.

Thank you soooo much for this information. My script is working properly now! :)

That's good to hear.
I'm glad I could help :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.