Backslashes all other the place

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Ok so this is the text i type into the database:

this is some 'example text' and is a "test"

and this is what is displayed when its in the database:

this is some 'example text' and is a \"test\"

is there anyway to stop that? or hide the backslahes?

Thanks, James.

Re: Backslashes all other the place

James54321 wrote:

Quoted text here. Click to load it

Hi James,

Your question is too vague to give a sensible answer.
What do you mean by 'type into database'?
Do you type directly into the database or do you use a html-form with PHP at  
the backend inserting/updating the database?

If the latter, are you sure the backslashes are actually IN the database, or  
do you see some output somewhere on a webpage that contains them?
Check this by direct querying the database from commandline. It is very well  
possible they are added by PHP, and are stored just fine in the database.

I am not teasing you: The backslashmatter is very important to understand  
for a programmer, because it protects against crackattacks like  

Read more here:

Be sure to follow the links to:
stripslashes(), htmlspecialchars(), and get_magic_quotes_gpc().

Erwin Moller

Re: Backslashes all other the place

Ok then it gets submitted via a html/php page i made that then inserts
it into the databsase.

And this is actually what is kept in the db:
this is some 'example text' and is a \"test\"

so i'm guessing that strip slashes function is what i need to use
i'll try that.

Thanks, James.

Re: Backslashes all other the place

James54321 wrote:

Quoted text here. Click to load it

Hi James,

OK, I think it might make more sense to avoid adding them in the first  
I expect you have somehow a double call to add_slashes().
This happens easily if:
1) magic_quotes_gpc is on.
2) PHP adds slashes before inserting into the db.

Suppose PHP receives formdata for a text element named firstname that  
contains quotes and doublequotes, eg

if magic_quotes_gpc is on, and you put this into some variable :
$firstname = $_POST["firstname"];

now $firstname contains: Hel'l\"o

If you call addslashes again, you'll end up with:

If you insert that into a database, the database will (correctly) assume  
that the \ means escaping the next character, and end up with:

Erwin Moller


[from ]
string addslashes ( string str )

Returns a string with backslashes before characters that need to be quoted  
in database queries etc. These characters are single quote ('), double  
quote ("), backslash (\) and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database.  
For example, to insert the name O'reilly into a database, you will need to  
escape it. Most databases do this with a \ which would mean O'reilly. This  
would only be to get the data into the database, the extra \ will not be  
inserted. Having the PHP directive magic_quotes_sybase set to on will mean  
' is instead escaped with another '.

The PHP directive magic_quotes_gpc is on by default, and it essentially runs  
addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on  
strings that have already been escaped with magic_quotes_gpc as you'll then  
do double escaping. The function get_magic_quotes_gpc() may come in handy  
for checking this.  

Re: Backslashes all other the place

I dont add slashes (i dont see why anyone would) so to make things
simpler here is the code to eneter items into the db how do i alter it
so my db doesnt have all those backslashes ...or is that for some
reason ie will it kill my code if it isnt there?

I thought i could just tweek the db's collation (whatever that is) to
something that doesnt add those horrible backslahes.


Here's my code:

if (isset($_POST['submit'])) {
// form submitted
// set server access variables

// get form input
    // check to make sure its all there
    // escape input values for greater safety

        $Idea_Name = empty($_POST['Idea_Name']) ? die ("ERROR: Enter the
Idea Name") : mysql_escape_string($_POST['Idea_Name']);
        $Category = empty($_POST['Category']) ? die ("ERROR: Enter the
Category") : mysql_escape_string($_POST['Category']);
        $Idea = empty($_POST['Idea']) ? die ("ERROR: Enter the Idea") :

    // open connection
    $connection = mysql_connect($host, $user, $pass) or die ("Unable to

    // select database
    mysql_select_db($db) or die ("Unable to select database!");

$date = date("Y-m-d");
$time = date("H:i:s",(time()+6*3600));

    // create query
    $query = "INSERT INTO ideas (Idea_Name, Category, Idea, Date, Time,
IP_Address) VALUES

    //replace sites with your table name
    //replace address and description with the filed name

    // execute query
    $result = mysql_query($query) or die ("Error in query: $query.

    // print message with ID of inserted record
    echo "New record inserted at $time it will now go to the

    // close connection

And if you need it this is where that page is on the web:


Re: Backslashes all other the place

James54321 wrote:
Quoted text here. Click to load it

Go back to Erwin's post and read this:

 > 1) magic_quotes_gpc is on.

I.e. have a look at your php config settings using phpinfo()

Site Timeline