|
PHP - Magic_quotes_gpc
is it better to have magic_quotes_gpc off and just use mysql_real_escape_string?
Similar TutorialsI built something on my local host and when I loaded it to my online provider I started to get back slashes in front of my single quotes on data I placed in the database, example word\'s The provider is running 5.2.9 on their server, I checked and magic_quotes_gpc is on, I thought this was old school. Can I turn if off ? I clean by data with strip_tags() & mysqli_real_escape_string() I found this http://php.net/manual/en/security.magicquotes.php Thanks My hosting service has magic_quotes_gpc = On. I was working on my home test server and the following script worked perfectly. Turns out I had magic_quotes_gpc = Off .. I set magic_quotes_gpc = On and restarted. Now the script isn't working. See code and output below. I know something isn't being escaped properly, but I have no clue how/what. Even if I copy and paste the $insert output directly to phpmyadmin, it returns the same error. Code: [Select] //HTML Vars $firstName = $_POST['firstName']; $lastName = $_POST['lastName']; $email = $_POST['email']; $desc = $_POST['desc']; //This is a textarea with long description. $year = $_POST['date']; //MySQL - no connection issues $link = mysql_connect('localhost', '__uesr__', '__passwd__*'); $db = mysql_select_db('__DB__', $link); $insert = "INSERT INTO images (firstName, lastName, email, descript, dateYear) VALUES ('$firstName' , '$lastName' , '$email' , '$desc' , '$year' "; $query = mysql_query($insert); if (!$query) { die ('Can\'t query ' . mysql_error()); } echo $insert; ::OUTPUTS:: Can't query You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 INSERT INTO images (firstName, lastName, email, descript, dateYear) VALUES ('this' , 'is' , 'the@email.com' , 'and. the. description won\'t work.' , '3456' Obviously I am a novice. I have tried using mysql_real_escape_string with and without stripslashes, but I'm not getting anywhere except more errors. Any help would be greatly appreciated. And I don't care about SQL injection AT ALL. I just want the thing to work with proper escaping for the description if a user inputs special chars. |
|||||||