' Being Replaced With \ Then Doubling


#1

Hey,

I’m working on a personal messaging system where users can send messages back and forth. Basically everything is working, except I’m getting this weird thing… It returns errors if they don’t fill in the message field, (“error: not all required fields were completed”), and then it displays the posted values for the fields that they did fill out (so they don’t need to re-enter the stuff they already entered), ok, that all works, except… If they have like “don’t” in the subject, and they leave the message field blank so it returns the error, it changes “don’t” to “don” then if they again dont fill out the message field and press submit, it changed “don” to “don” and then if they do it again “don\” (it doubles every time).

I have absolutely no idea why this is happening.

Any help would be great,

Nick Giancola


#2

You will want to look into using strip_slashes when pulling the information out of the database or returing it back to the user. Don’t use this function when entering the data into the database because it will mess up your query.

Example:
[php]<?
$message = stripslashes($_POST[‘message’]);
?>
[/php]

This should take care of your problem.


#3

If magic quotes is enabled on your server, it will automatically escape any problematic quotes when form data is posted. If you are posting to a database, you should test the state of magic quotes, and if they are not enabled, use addslashes().

if (!get_magic_quotes_gpc()) {

$string = addslashes($string);

}

You can also use the mysql_escape_string() function.

Then as ragster00 as already mentioned, you would use stripslashes() when returning the data.

As added security, you might also want to think about replacing apostrophes and other problematic quotes with character entities.

$string = str_replace("'", "'", $string);