Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2006
    Posts
    17

    Unanswered: get_magic_quotes_gpc not working?

    I have a form that takes in a few values and inserts it into a table. Something similar to:

    PHP Code:

    $str 
    "
            INSERT INTO mytable (id, message)       
            VALUES (
    {$id}{$message})
    "
    ;

    if (
    get_magic_quotes_gpc() === 1)
    {
            
    $str =& trim($str);                
    }                
    else        
    {                
            
    $str =& addslashes(trim($str));                
    }                

    $res mysql_query($str) or die(); 
    When I run the query, I get errors if a value in the form has a quote/apostrophe character. When I print out the query, I notice that the quotes aren't backslashed.. (Or does it handle that in the background?) What am I doing wrong here?
    Last edited by kovi_rago; 10-13-06 at 04:29.

  2. #2
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    Except as noted in the following, I tried your code and it works on a PHP5 system (I only mention the PHP version as it is possible that the type/value returned by get_magic_quotes_gpc() and the action of having the "reference" operator & could be different between versions of PHP.)

    If either of the fields in the query are CHAR, VARCHAR, or TEXT, the values in the query string need single-quotes around them. Since your existing code operates on the whole query string, it will escape these needed quotes and cause a mysql error. You must pass each variable through this code to escape what is in the variable instead of the way it is doing it now.

    The "reference" operator & has no meaning in this code and is not necessary.

    There is a slight chance that get_magic_quotes_gpc() returns an ON/OFF or True/False value in your version of PHP and your use of the === comparison with the value 1 will fail. What do you get if you echo get_magic_quotes_gpc()?

    You state that you get an error. Please post the actual error message to get the best possible help with this problem.
    Last edited by dbmab; 10-15-06 at 07:10.

  3. #3
    Join Date
    Mar 2006
    Posts
    17
    hi, thank you for the reply. sorry i've been working on this thing and haven't check dbforums in awhile.

    when i echo get_magic_quotes_gpc(), it shows a '1'.
    this is the error i get
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2006-10-30 10:51:58' , '2006-10-30 10:51:58')' at line 6

    when i echo the query (using a test string of r'), it shows this:
    PHP Code:
    INSERT INTO mytable (username commentscreatedmodified)
    VALUES ('test' 'r'' , '2006-10-30 10:51:58' , '2006-10-30 10:51:58') 
    it is not backslashing the single quote in the string " r' "?

  4. #4
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    About the only thing that could cause magic_quotes_gpc to not escape the single-quotes in the GET/POST data from the form would be the magic_quotes_sybase setting (this should cause two single-quotes which it does not appear is occurring, but it would take seeing your current actual code to be sure what else might be occurring.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •