SteveDave Posted January 13, 2011 Posted January 13, 2011 This is definitely a simple fix but for some reason I'm stumped. I made a small mod on my game for players to talk through gang mail, where everyone can view and talk. The problem is that every time a ', ", \ is entered, another backslash (\) is posted behind. I referred back to forum posts and things like that, and I just don't see what I did wrong. 8| function gang_gangmail() { global $db, $ir, $c, $userid, $gangdata, $bbc; if($_POST['gmtext']) { $picture = ($ir['display_pic']); $db->query("UPDATE users SET new_gangmail=new_gangmail+1 WHERE gang={$ir['gang']}"); $db->query("INSERT INTO gangmail VALUES('', {$gangdata['gangID']}, unix_timestamp(), '".$db->escape($_POST['gmtext'])."', '$picture', {$ir['userid']}, '{$ir['username']}', {$ir['user_level']}, {$ir['donatordays']})"); print "Your Gang Mail has been posted. <meta http-equiv='refresh' content='1;url=/yourgang.php?action=readgangmail' />"; } else { print "[b]Gang Mail[/b] <form action='yourgang.php?action=gangmail' method='post'> Text: <textarea name='gmtext' rows='8' cols='60'></textarea> <input type='submit' value='Send' /></form> "; } } Any help would be greatly appreciated! :thumbsup: Quote
Dave Posted January 13, 2011 Posted January 13, 2011 Thought about using stripslashes() on the output? Quote
Djkanna Posted January 13, 2011 Posted January 13, 2011 Thought about not double escaping? I'll elaborate. magic_quotes is more than likely turned on for you, which appends the function addslashes() to _POST, _GET, _COOKIE, then when it comes time for you to escape it yourself, note: ($db->escape() within the query), while doing what you should be doing you're actually double escaping said variable, which isn't a good thing. mysql_real_escape_string() nor addslashes() will actually store the backslash in the database however if you double escape you will end up with one in your database. Solutions: Turn off Magic_quotes. If it's not possible for your to turn off Magic_quotes (will be removed in PHP6) then stripslashes() before escaping in your queries. Maybe create a function for this, or perhaps look into array_walk(), count() those can help when dealing with this problem. if (get_magic_quotes_gpc()) { function callback_stripslashes(&$val, $name) { if (get_magic_quotes_gpc()) $val=stripslashes($val); } if (count($_GET)) array_walk ($_GET, 'callback_stripslashes'); if (count($_POST)) array_walk ($_POST, 'callback_stripslashes'); if (count($_COOKIE)) array_walk ($_COOKIE, 'callback_stripslashes'); } **Found in Pastebin source. $db->query('UPDATE `table` SET `string` = "'.stripslashes($db->escape($var)).'" '); Quote
SteveDave Posted January 13, 2011 Author Posted January 13, 2011 Thanks for the help guys, I think I realized what I'm doing wrong finally. Much appreciated! :thumbup: Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.