PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes

php mysql-real-escape-string stripslashes
teaforchris picture teaforchris · Oct 5, 2009 · Viewed 59.7k times · Source

I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes.

Let's take the following string as an example:

<span style="text-decoration:underline;">underline</span>


When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in the database (EDIT: checked this by querying the database directly with mysql app):

<span style=\\\"text-decoration:underline;\\\">underline</span>


When reading back out of the database, I'm passing the string through stripslashes() and the following is returned:

<span style=\"text-decoration:underline;\">underline</span>


Since the quotes are still escaped, it breaks the html and the text is not underlined.

  1. Why is mysql_real_escape_string() adding three slashes, and stripslashes() removing two slashes? I would expect them both to add/remove one slash.
  2. How can I prevent this from happening?
  3. Am I approaching this the correct way?

Answer

TJ L picture TJ L · Oct 5, 2009

Best Solution

In your php.ini file, odds are that the magic_quotes_gpc directive is set to on. This should be disabled for security reasons. If you don't have access to the php.ini file (eg. on a shared host), you can always accomplish the same using an .htaccess directive (assuming this is an apache server).

In your php.ini

magic_quotes_gpc Off

In an .htaccess file:

php_flag magic_quotes_gpc Off

Why is this happening?

The reason this is happening is due to the following course of logic.

  1. A string that needs escaping is sent to the server.
    • This is my string. It's awesome.
  2. Magic Quotes escapes the apostrophe before it gets to your code.
    • This is my string. It\'s awesome
  3. mysql_real_escape_string now has two characters to escape, the backslash \\ as well as the apostrophe \'.
    • This is my string. It\\\'s awesome
  4. This new super-escaped string is stored in the database.
  5. When the string is retrieved from the database, it get's passed to stripslashes. This removes the two escapes added in step 3, but since one of the backslashes has been escaped stripslashes thinks it belongs.
    • This is my string. It\'s awesome

This problem can really get out of hand when you re-submit these strings to the database, as each time the number of backslashes multiplies.

Alternative Solution

A quick-and easy alternative would be to simply remove the slashes added by magic_quotes before passing the string to mysql_real_escape_string. 

$str = stripslashes($_POST['str']);
$str = mysql_real_escape_string($str);

Related questions

Alternative to mysql_real_escape_string without connecting to DB

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my …

Read More
Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?

Possible Duplicate: mysql_escape_string VS mysql_real_escape_string I need to get company_name (given by user through a form) entered into my mysql database. When I use $company = mysqli_real_escape_string($_POST['company_name']) I get …

Read More
mysql_escape_string VS mysql_real_escape_string

So this is something we all should know about, and played on my mind when I first seen it.. I know that mysql_escape_string is deprecated from 5.3 but what was the actual difference in mysql_real_escape_string. What …

Read More