Look for the stripslashes() function.

WBF

For some reason php or mySQL appears to automatically add slashes to quotes (") but not to apostrophes ('). From what I've read, the automatic insertion of slashes would mean magic_quote_gpc is on. But why wouldn't it insert slashes before the apostrophes as well?

In fact, for some reason it appears as if a slash before an apostrophe doesn't even work. I tried $message=str_replace("'", "\'", $message); but when I inserted it into the database it got cut off at the \. Any reason why I can't escape apostrophes, but escaping quotes works?

addslashes() puts the escapes in so you can store the data in a db. So,

$msg "That's what's happenin'";
$msg = addslashes($msg);
echo $msg;

outputs

That\'s what\'s happenin\'

stripslashes() takes the escapes out so you can display on your page. So,

$msg = stripslashes($msg);
echo $msg;

outputs

That's what's happenin'

Spend some time poking around on the PHP site.

WBF

I like to use mysql_escape_string [ca2.php.net] for inserting into db and stripslashes for output.

I understand how addslashes() and stripslashes() work, it's just that they don't appear to be working correctly.

Since my server has magic_quotes_gpc on, even when I don't addslashes() things before I put them in the database, it tacks slashes on before the double quotes. However, it doesn't tack them on the apostrophes for some reason. When I use addslashes() on a string it doubles them up on my strings before putting them in the database.

The problem is that I can correctly put in and take out strings with double quotes in them, but if there's an apostrophe in there anywhere, even one that's supposedly been escaped, it simply cuts the string off at the \ that was supposed to escape the apostrophe, before it gets put into the database. I read that apostrophes should be doubled up rather than escaped with a slash before them, but that doesn't work when I use the str_replace.

When I input the following:
============================
Hello there "bill"
How's it going?
============================
the database contains:
============================
Hello there \"bill\"
How\
============================
So when I want to display this, I do a stripslashes($message), and it prints out the following:
============================
Hello there "bill"
How
============================

So I guess I'm wondering why the database refuses to accept apostrophes. I don't think my problem is the stripslashes() or addslashes().

I think I may have narrowed down the problem, and I don't think it's a mySQL problem at all. I've got my pages set up like this: I enter a message into a form, then it goes to a separate preview page, which gets the message using $_POST. Then it strips it of html tags and adds slashes to it. All this appears to be working fine, but where I think I'm running into the problem is when I move the message to the final page where it gets posted. I think that when I put it in the hidden form field to pass it along it's getting mangled.

The hidden form field is the following:

echo "<input type='hidden' name='form_message' value='".$form_message."'>";

So the actual html looks like this:

<input type='hidden' name='form_message' value='Hello there \"bill\"<br>How\'s it going?'>

I'm thinking the html is cutting it off thinking How\ is the end of the hidden form field's value. Is this possible? And if so, ideas how to get around it?

Thanks for all the help guys.

Hey, I figured it out.

Since I don't think there's a way to change an ' into &apostrophe, I just used htmlspecialchars($form_message) to change the " into &quote, then changed my previous echo with the hidden form field to:

echo '<input type="hidden" name="form_message" value="'.$form_message.'">';

Ah well, you live and learn.

Thanks again for the help guys.