mysql_real_escape_string() leaving slashes in MySQL

Question

I just moved to a new hosting company and now whenever a string gets escaped using:

mysql_real_escape_string($str);

the slashes remain in the

Answer 1

mysql_real_escape_string($str); is supposed to do exactly that. it is meant to add backslashes to special characters especially when you want to pass the query to mysql. Take note that it also takes into account the character set of mysql.

For safer coding practices it would be good to edit your code and use stripslashes() to read out the data and remove the slashes.

Answer 2

The host that you've moved probably has magic_quotes_runtime turned on. You can turn it off with set_magic_quotes_runtime(0).

Please turn off magic_quotes_runtime, and then change your code to use bind variables, rather than using the string escaping.

Answer 3

Function below will correctly remove slashes before inserting into the database. I know you said magic quotes isn't on but something is adding slashes so try the following page and see the output. It'll help figure out where. Call with page.php?var=something-with'data_that;will`be|escaped

You will most likely see number three outputting more slashes than needed.

*Change the db details too.

<?php

$db = mysql_connect('host', 'user', 'pass');

$var = $_REQUEST['var'];
echo "1: $var :1<br />";
echo "2: ".stripslashes($var)." :2<br />";
echo "3: ".mysql_real_escape_string($var)." :3<br />";
echo "4: ".quote_smart($var)." :4<br />";


function quote_smart($value)
{
    // Stripslashes is gpc on
    if (get_magic_quotes_gpc())
    {
        $value = stripslashes($value);
    }
    // Quote if not a number or a numeric string
    if ( !is_numeric($value) )
    {
        $value = mysql_real_escape_string($value);
    }
    return $value;
}

?>

Answer 4

You must probably have magic quotes turned on. Figuring out exactly how to turn it off can be quite a headache in PHP. While you can turn off magic quotes with set_magic_quotes_runtime(0), it isn't enough -- Magic quotes has already altered the input data at this point, so you must undo the change. Try with this snippet: http://talks.php.net/show/php-best-practices/26

Or better yet -- Disable magic quotes in php.ini, and any .htaccess files it may be set in.

Answer 5

I can think of a number of things that could cause this. But it depends how you are invoking SQL queries. If you moved to use parameterized queries like with PDO, then escaping is unnecessary which means the call to mysql_real_escape_string is adding the extra slashes.

If you are using mysql_query etc. then there must be some code somewhere like addslashes which is doing this. This could either be before the data is going into the database, or after.

Also you say you have disabled magic quotes... if you haven't already, just do a hard check in the code with something like this:

echo htmlentities($_GET['value']); // or $_POST, whichever is appropriate

Make sure there are no slashes in that value, then also check this:

echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" : "OFF");

I know you've said multiple times it isn't magic quotes, but for us guys trying to help we need to be sure you have checked the actual PHP output rather than just changing the config (which might not have worked).

Answer 6

I am not sure if I understand the issue correctly but I had a very same problem. No matter what I did the slashes were there when the string got escaped. Since I needed the inserted value to be in the exact same format as it was entered I used

htmlentities($inserted_value)

this will leave all inserted quote marks unescaped but harmless.