I've been using a script to upload articles to my website and done a bit of maintainance and now when I add an article on the server it's adding slashes to my text. Here is the code that I'm using:
$con = mysqli_connect("localhost","db_username","db_password","db_database");
$title = ucwords($_POST['title']);
$category = $_POST['category'];
$article = $_POST['article'];
$alt = $_POST['alt'];
$title = mysqli_real_escape_string($con, $title);
$article = mysqli_real_escape_string($con, $article);
$alt = mysqli_real_escape_string($con, $alt);
$insert_post_sql = "INSERT INTO ".$site_id."_articles (id, category, photo, alt, title, article, added, views) VALUES('$id', '$category', '.$extension', '$alt', '$title', '$article', '$added', '$views')";
$insert_post_res = mysqli_query($con, $insert_post_sql);
if(mysqli_affected_rows($con)>0){
move_uploaded_file($_FILES["photo"]["tmp_name"],"$path" . $id . "." . $extension);
header("Location: ../article.php?id=$id");
exit();
}
else{
echo "0";
};
So my article text looks like this: Here\'s my article\'s text
Can anyone tell me why escape isn't working here?
mysqli_real_escape_string()
is possibly doing the "escaping" as you require, however "is adding slashes to my text" is not whatmysqli_real_escape_string()
does. Don't expect it to modify the code, or add backslashes. It just escapes chars when adding to the database.Something other than
mysqli_real_escape_string()
is adding slashes to your text.mysqli_real_escape_string:
.
If you have not manually coded in a script to escape with backslash, such as using the function addslashes(), then as @zerkms suggested, it could be you have magic quotes turned on, which "does" escape by adding a backslash automatically.
Determine if magic quotes are enabled
If you have magic quotes enabled, read this: Why not to use magic quotes
EDIT
The suggestion to use
stripslashes()
may well make this problem "go out of sight", but it does not fix the underlying problem, nor does it attempt to address a potential issue of you using magic quotes, again Why not to use magic quotes.Just turn off magic quotes, for fixing this issue, other security concerns, and the fact it is depreciated and you shouldn't be using it in code which may not work on a newer server or from an server update.
If you have magic quotes enabled, you are now wasting resources from magic quotes adding slashes and
stripslashes()
removing them.This is not a fix, it is a "bodge".
If you're happy with that then no worries, at all, but just FYI in my opinion this approach is not good practice at all.