0

Every time i try to update my textarea and inside the textarea I add a quote ", after i update i get 1 \, i update again i get 3 slashes \\\, again 5 slashes and so on. Tried adding in php ini the the 3 codes to disable the magic quotes but nothing:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Added also in the root folder and the folder where the file is located. Also tried this http://us2.php.net/manual/en/security.magicquotes.disabling.php example 2 and first comment and still nothing.

This is my code:

PHP

$username=$_SESSION['username'];
$viewtopic = $_GET['viewtopic'];
if ($_POST['edit'] && strip_tags($_POST['topictext'])){
  $viewtopic = $_POST['id'];
  $topictext=mysql_real_escape_string(strip_tags($_POST['topictext']));
  $title=mysql_real_escape_string(strip_tags($_POST['title']));
  mysql_query("UPDATE topics SET topictext=".quote_smart($topictext).", title=".quote_smart($title)." WHERE id=".quote_smart($viewtopic)."");
  echo "You have updated your topic!";
}

HTML

<textarea name="topictext" rows="2" cols="20" id="main_tbContent" class="TextBox" style="height:128px;width:99%;"><? echo str_replace("\\r\\n","\r\n",$rows['topictext']); ?></textarea><br />
Thibaud Colas
  • 1,248
  • 1
  • 16
  • 24
Adrian
  • 2,273
  • 4
  • 38
  • 78
  • what does quote_smart() do ?? –  Dec 08 '13 at 18:57
  • Quote_smart is integrated in the script. When i remove `quote_smart()` it seams that the loop of creating 2 more slashes every update stops but it still echo's 3 slashes. – Adrian Dec 08 '13 at 19:00
  • don't forget to mysql_real_escape_string $_POST['id'] as well... though you are expecting (hoping) you are going to get a numeric value there, in fact you can also get anything else there , making sql injection possible – nl-x Dec 08 '13 at 19:24
  • I can't believe this question werent closed at sight as a duplicate. Stack Overflow is a VERY strange place. – Your Common Sense Dec 08 '13 at 22:08

1 Answers1

1

Okay, in my code for my database entries, this is what I do. Let me start by saying that I always send via POST method to avoid browser url complications.

When I get the POST data, this is my code.

    $ID = 1;
    $DATA = htmlentities(addslashes($_POST['data']));
    $FIELD = lifename;
    $DBQUERY = "UPDATE `lifetable` SET `$FIELD` = '$DATA' WHERE `id` = $ID";
    $DBRESULT = $MYSQLI->query($DBQUERY);

When I ask for the information back in a select query, I do not do anything special, all I do is a normal fetch_assoc or fetch_array with no functions at all. This always works for both input values and textareas.

This should be yours:

mysql_query("UPDATE topics SET topictext='".htmlentities(addslashes($topictext))."', title='".htmlentities(addslashes($title))."' WHERE id='$viewtopic'");

And do not forget your single quotes when passing text data as a value in mysql. I added them.

I am currently using this on my local site.

Also, please remove all instances of mysql_real_escape_string functions.

Denver William
  • 464
  • 2
  • 11
  • addslashes is not adequate for sanitising db inputs –  Dec 08 '13 at 19:00
  • could you please help me based on my example I am not getting it exactly. – Adrian Dec 08 '13 at 19:02
  • Um, clearly his code is adding extra slashes because they are there. Therefor, to remove the extra slashes, addslashes() will removed the extras for the most part. – Denver William Dec 08 '13 at 19:03
  • It is hard to know without knowing what your quote_smart function does. Here I will update my answer, give me a minute :) – Denver William Dec 08 '13 at 19:05
  • It seams that `.quote_smart` is some kind of predefined function in mysql/php. I tried searching for the function with dreamweaver and no results regarding a normal php function. – Adrian Dec 08 '13 at 19:09
  • Remove all `mysql_real_escape_string` – Denver William Dec 08 '13 at 19:20
  • Trust me, it is still 100% safe! – Denver William Dec 08 '13 at 19:21
  • Like for example instead of `$topictext=mysql_real_escape_string(strip_tags($_POST['topictext']));` I do `$topictext=$_POST['topictext'];` – Adrian Dec 08 '13 at 19:21
  • No, it would be `$topictext=strip_tags($_POST['topictext']);` – Denver William Dec 08 '13 at 19:22
  • Let me know if it works for you, it works for me all the time and on the go. Just make sure when you output your data from the database, you are outputting as is and do not change it in any way, use it raw right out of the fetcharray or fetch assoc call. – Denver William Dec 08 '13 at 19:30
  • If this worked, can you please check the answer and help out the reputation. Thanks – Denver William Dec 08 '13 at 19:35
  • Yes, it was because of the `mysql_real_escape_string` Thanks a lot. – Adrian Dec 08 '13 at 19:48
  • no worries, adding slashes and htmlentities will make it so that no one can exit your code and start another. Some people will say otherwise, but I have yet to experience it. – Denver William Dec 08 '13 at 19:49
  • stop giving bad advise please addslashes(), is not sufficient –  Dec 08 '13 at 21:15
  • @YourCommonSense It tool me in the right direction, my problem it was because of `mysql_real_escape_string` so he deserves the up vote. – Adrian Dec 09 '13 at 11:43
  • I prefer to use php pdo. PDO is an embedded extention that completely take care of the fear of injections. It separate the inputs from the query and then insert it in db. The quote you are getting can be stripped out using js. That means you need to screen out the data – Timothy Nwanwene Mar 14 '16 at 14:35