0

Hi,
I've got a "contact us" form on my website and naturally i'm trying to guard against sql injection/hacking

The body of the text gets run through the below function, however this means i end up with
How's it going = How\'s it going

Can someone tell me which part of the function causes this and a work around?

Thank you

function check_input($value)
{
	if (get_magic_quotes_gpc())
	{
		$value = trim(stripslashes($value));
	}
	if (!is_numeric($value))
	{
		$value = trim(stripslashes($value));
		$value = mysql_real_escape_string($value);
	}
	return $value;
}
2
Contributors
2
Replies
3
Views
7 Years
Discussion Span
Last Post by Hangfire
0

If you're placing this into a db, it should be mysql_real_escape_string(). If you find the quotes are slashed within the db - that's correct. You just stripslash the db output when you want to display the data. I don't really understand the problem.

0

Ahhhhh I see, so when stored in a database the slashes are expected. When you display the values you strip the slashes.

So as I'm emailing the results I need to strip the slashes before sending to make it readable.

Thanks, that helped.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.