Textfield getting written to mySQL getting unwanted escape characters

General PHP Help
#1

It works fine on localhost. I have a textfield that uses PHP to write it to a database entry. The text is in HTML format, and when read later on is used to create HTML content, so things like backslashes for URLs and single-quotes need to not have the escape sequence version of them (like \ or ') because HTML will just print those things that way. And, as I said, it works like a charm on localhost. But when I try to use the form on my site (on Freeyellow), it is replacing single backslashes with \ and single quotes with ’ in the database entry. How can I get it to stop doing that?

The form sends the textfield to a page reload and here’s the code on the page that handles the text:
[php] else if(isset($_POST[‘submit_new_news’]) && !empty($_POST[‘news_title’]) && !empty($_POST[‘news_body’]))
{
if (make_news_post($_POST[‘news_title’],$_POST[‘news_body’]))
{
$errormsg = ‘
News Post Saved.’;

	}
	else
	{
	  $errormsg = '<br>Already have entry for today. Edit post for today instead.<br>';
	}
  }[/php]

Since it’s central to this process, here’s the code for make_news_post:
[php] function make_news_post($title,$body)
{
global $db;
$today = getdate();
$thisyear = intval($today[‘year’]);
$thismonth = intval($today[‘mon’]);
$thisday = intval($today[‘mday’]);
$sth = $db->prepare(‘SELECT year, month, day FROM newsposts WHERE year = :year AND month = :month AND day = :day’);
$sth->bindParam(’:year’,$thisyear,PDO::PARAM_INT);
$sth->bindParam(’:month’,$thismonth,PDO::PARAM_INT);
$sth->bindParam(’:day’,$thisday,PDO::PARAM_INT);
$sth->execute();
$check_existing = $sth->fetchall();
if(empty($check_existing))
{
$sth->closeCursor();
$sth = $db->prepare(“INSERT INTO newsposts (year, month, day, title, body) VALUES (:thisyear, :thismonth, :thisday, :title, :body)”);
$sth->bindParam(’:thisyear’,$thisyear,PDO::PARAM_INT);
$sth->bindParam(’:thismonth’,$thismonth,PDO::PARAM_INT);
$sth->bindParam(’:thisday’,$thisday,PDO::PARAM_INT);
$sth->bindValue(’:title’,$title);
$sth->bindValue(’:body’,$body);
$sth->execute();
$sth->closeCursor();
return true;
}
else
{
$sth->closeCursor();
return false;
}
}[/php]

Again, this works without any problem on localhost, so I’m inclined to think it’s somehow related to how Freeyellow has set up their MySQL or whatever. Is it common for this kind of problem to be encountered when moving a localhost to the web? And is there a work-around. The only thing I can do right now is open phpMyAdmin on Freeyellow and edit the data to remove the extra backslashes.

#2

sounds like the server may have magic_gpc enabled. But the problem will be when you go to do the insert. the sql will throw an error when it its an unescaped quote because it thinks its part of the statement. You could try using html_entities(), but i’m not sure if it’ll work for this. When you’ll have to do is just stripslashes() when you need to use the data.

#3

Hm, stripslashes could work, but what about when I do need single forward slashes, for URLs? I suppose if I had to, I could put in a different character that I’ll never use anywhere else and have it do replace on that after I’ve already done stripslashes.

#4

All you need to do is determine if magic_gpc is enabled with an if statement. If it is, use ini_set to turn it off.

Sponsor our Newsletter | Privacy Policy | Terms of Service