MySqli Real Escape Not Working

607 views Asked by At

I've been using a script to upload articles to my website and done a bit of maintainance and now when I add an article on the server it's adding slashes to my text. Here is the code that I'm using:

$con = mysqli_connect("localhost","db_username","db_password","db_database");

$title = ucwords($_POST['title']);
$category = $_POST['category'];
$article = $_POST['article'];
$alt = $_POST['alt'];

$title = mysqli_real_escape_string($con, $title);
$article = mysqli_real_escape_string($con, $article);
$alt = mysqli_real_escape_string($con, $alt);

$insert_post_sql = "INSERT INTO ".$site_id."_articles (id, category, photo, alt, title, article, added, views) VALUES('$id', '$category', '.$extension', '$alt', '$title', '$article', '$added', '$views')";
$insert_post_res = mysqli_query($con, $insert_post_sql);
if(mysqli_affected_rows($con)>0){
move_uploaded_file($_FILES["photo"]["tmp_name"],"$path" . $id . "." . $extension);
header("Location: ../article.php?id=$id");
exit();
}
else{
echo "0";
};

So my article text looks like this: Here\'s my article\'s text

Can anyone tell me why escape isn't working here?

1

There are 1 answers

0
James On

Can anyone tell me why escape isn't working here?

mysqli_real_escape_string() is possibly doing the "escaping" as you require, however "is adding slashes to my text" is not what mysqli_real_escape_string() does. Don't expect it to modify the code, or add backslashes. It just escapes chars when adding to the database.

Something other than mysqli_real_escape_string() is adding slashes to your text.

mysqli_real_escape_string:

Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection

.

it's adding slashes to the text when I upload it here\'s what it\'s doing

If you have not manually coded in a script to escape with backslash, such as using the function addslashes(), then as @zerkms suggested, it could be you have magic quotes turned on, which "does" escape by adding a backslash automatically.

Determine if magic quotes are enabled

If you have magic quotes enabled, read this: Why not to use magic quotes

EDIT

The suggestion to use stripslashes() may well make this problem "go out of sight", but it does not fix the underlying problem, nor does it attempt to address a potential issue of you using magic quotes, again Why not to use magic quotes.

Just turn off magic quotes, for fixing this issue, other security concerns, and the fact it is depreciated and you shouldn't be using it in code which may not work on a newer server or from an server update.

If you have magic quotes enabled, you are now wasting resources from magic quotes adding slashes and stripslashes() removing them.

This is not a fix, it is a "bodge".
If you're happy with that then no worries, at all, but just FYI in my opinion this approach is not good practice at all.