How to submit a Quote (') sign in SQL

Question

I've made following protection for my variables:

$ad_title=htmlentities($ad_title);
$ad_title=mysql_real_escape_string($ad_title);
$ad_title=stripslashes($ad_title);

But every time I try to submit a string that contains the quote sign (') - everything after it is recognized as bad SQL query.

Can anyone please let me know what I missed?

I know mysql_real_escape_string should fix it but it doesn't.

don't listen to @mikelbring that solution will leave you vulnerable to sql injection. — dqhendricks, Mar 21 '12 at 20:38
@mikelbring: **NO** addslashes is total crap and should be removed from PHP. — Marc B, Mar 21 '12 at 20:39
If you use `mysql_real_escape_string` you do not need to `addslashes` (and certainly not `stripslashes`. Advice: read the docs. — The Nail, Mar 21 '12 at 20:39

score 4 · Accepted Answer · answered Mar 21 '12 at 20:39

4

Your problem is that stripslashes is UNDOING what mysql_real_escape_string does.

e.g.

starting out with:  Miles O'Brien
after m_r_e_s(): Miles O\'Brien
after strip_slashes: Miles O'Brien

answered Mar 21 '12 at 20:39

Marc B

356,200
43
426
500

score 2 · Answer 2 · answered Mar 21 '12 at 20:39

2

Your call after mysql_real_escape_string to stripslashes is effectively canceling it out.

Also, you should be escaping your stuff for html right before you output it, not when you store it in your database.

Alternately, you can use prepared statements, though I'm feeling to lazy to explain that in this answer. (There's millions of posts on SO about it.)

answered Mar 21 '12 at 20:39

Corbin

33,060
6
68
78

@TheNail Did I really just get grammar Nazi'd? Wow. The sad part is, I am fully aware that too was the correct variation of to. I likely just missed the key. Anyway, have fun with your trivial grammar corrections. (If you want to be very technical, you just wrote a sentence fragment with no capitalization or punctuation.) – Corbin Mar 21 '12 at 20:44
sorry, slight pun was intended, but from your response I understand you are not really keen on that... sorry again! – The Nail Mar 22 '12 at 07:52
1

@TheNail Sorry, I guess I missed the pun. And rereading my comment, I got a bit carried away.... Oops x.x – Corbin Mar 22 '12 at 08:01

score 0 · Answer 3 · answered Mar 21 '12 at 20:39

0

Remove the third line from the code.

$ad_title=htmlentities($ad_title);
$ad_title=mysql_real_escape_string($ad_title);

answered Mar 21 '12 at 20:39

hjpotter92

78,589
36
144
183

score 0 · Answer 4 · edited May 23 '17 at 10:08

$ad_title=htmlentities($ad_title);

You can that (immediately) before inserting into an HTML document, not a database … but htmlspecialchars should be sufficient.

$ad_title=mysql_real_escape_string($ad_title);

You can do that (immediately) before mashing together some strings into an SQL statement destined for MySQL … buy you are much better off using prepared statements and bound arguments.

$ad_title=stripslashes($ad_title);

Do that … umm … maybe if you are stuck on a server that has Magic Quotes turned on … but before you do any escaping … and only if you can't turn Magic Quotes off.

Certainly don't do it after you run mysql_real_escape_string as it (largely) reverses the effect of it!

score 0 · Answer 5 · answered Mar 21 '12 at 20:39

0

You added the line

$ad_title=stripslashes($ad_title);

which should not be used. You are basically stripping the sql injection protection with that line. remove the line and it should be fine.

answered Mar 21 '12 at 20:39

dqhendricks

19,030
11
50
83

score 0 · Answer 6 · answered Mar 21 '12 at 20:44

0

<?php
//This should be called first, but ONLY if it is required, or it will corrupt your data.
//This must be done before you manipulate the data in any other way.
//Generally, this is used on the data if your server has magic quotes on.
//I've added code to detect if it is on or not.
$ad_title = (get_magic_quotes_gpc()) ? stripslashes($ad_title) : $ad_title;

//This line is fine, but only do it if you know it is necessary, because it is changing your data.
//If you are doing it just because you were receiving an SQL error, I would recommend you comment this out.
$ad_title = htmlentities($ad_title);

//This should be the last thing you do to your data before using it in SQL.
//This will take care of all required escaping, and protect you from SQL injection.
$ad_title = mysql_real_escape_string($ad_title);
?>

answered Mar 21 '12 at 20:44

Jordan Mack

8,223
7
30
29

There's a very high chance that he should not be escaping the data as HTML before inserting it into his database. And as for magic quotes, I would never use a hosting provider that has it enabled. That would be a very strong sign that they are way behind the PHP times. – Corbin Mar 21 '12 at 20:51
I agree with @Corbin about escaping as HTML before insertion into the database. It should be escaped for SQL only, not HTML. Doing so means you are storing a modified version, not the original data. This introduces difficulty if you find you need to go back for some reason. As for the host having magic quotes turned on, it may be ridiculous, but many still do. I can't tell you which because I've been using dedicated servers for the last decade. – Jordan Mack Mar 21 '12 at 21:03

How to submit a Quote (') sign in SQL

6 Answers6