stripslashes cut off data

[StrangerInBeijing]

This is supposed to be simple, but still.....

When saving a value to the database I use addslashes (so test'er become test\'er) ... no problem there.

But when I read it back I get this....
echo $row->$value = tes
echo stripslashes($row->$value) = tes

uuuurgh..drive me bonkers. I also checked get_magic_quotes_gpc(), and then add or stripslashes.
Dont want to edit my php.ini as I'm not sure where I will host this site yet.

[dclamp]

can you post the code you use to put it into the db?

[StrangerInBeijing]

The

Code:

$set .= $value."='".addslashes($_POST[$value][$count])."',";

in

Code:

	function update_continent($columns,$count)  {		
		$id = '';
		$set = '';
		foreach ($columns as $value)  {
			if($value=='id') {
				$id = $_POST[$value][$count];
			} else {
				$set .= $value."='".addslashes($_POST[$value][$count])."',";		
			}
		}
		//get the translation id for this continet
		$sql = "SELECT translation_id FROM continents WHERE id=".$id;
		$results =  $this->conn->query($sql);
		$record = $results->fetch_array();
		$translation_id=$record['translation_id'];
		$set = substr($set,0,strlen($set)-1);
		$sql = "UPDATE translations SET ".$set." WHERE id=".$translation_id;
		$this->conn->query($sql);		
	}

[StrangerInBeijing]

oh oh...I just realized that that build a sql string (whre there's sth to escape) like this:
UPDATE translations SET en='tes\\\'er',af='aaa' WHERE id=1439

[dclamp]

i dont see any problem with it. Wait to have penagate or manavo look at it. they might see something wrong.

sorry!

[StrangerInBeijing]

Mendhaaaaaaaakkkkkkk!!!!!!!!!

[dclamp]

haha no not mendhak. he is a asp.net guru. good luck

[StrangerInBeijing]

Mendhak knows everything....conversation over.

For whoever comes along to check this out....
1) For what it matter, I'm working on a WinXP machine with WAMP Server (not sure if this got sth to do with add / strip slashes

[RudiVisser]

Have you tried using mysql_real_escape_string?

[penagate]

That function is so confusing I don't even know what it's supposed to do, let alone why it's not doing it.

Make it simpler. Pass in the fields as a hashtable. Run mysql_real_escape_string on each value as you build the query. Don't escape anything before this final step.

You may want to reverse the effect of magic quotes at the start of the script.

PHP Code:

if (@get_magic_quotes_gpc())
{
  array_walk_recursive($_GET, 'stripslashes');
  array_walk_recursive($_POST, 'stripslashes');
  array_walk_recursive($_COOKIE, 'stripslashes');
} 


[StrangerInBeijing]

My function?
It's pretty cool actually (the idea..sure anyone can code it better).
Bottom line is when a language get "activated", the code check if a column for that language exists in the translation table, and if not create it.
So for whatever insert/update code I write I can never know exactly how many columns there are, so had to come up with a "different" approach.

Back to the slash thing. Let me try your code.
Weird thing I just realized is that on another page I also query to get the value, without using stripslases and it display just fine (just a string i echo), but on the "edit" page where i show the value in a text box.....cut off.

Will fiddle around using this array_walk thing you just send me (yeah, php dumbnut me)

[StrangerInBeijing]

NO bloody hell.

I check for magic quotes using "if (@get_magic_quotes_gpc())" and use "addslashes(" before saving the value to the database.
This works fine as in phpmyadmin i see "Lao People\'s Republic"

Reading it back is the b!tch!!!!!
Once again use "if (@get_magic_quotes_gpc())" and use "stripslashes(.." but the above will show "Lao People".
If not using stripslashes, it show "Lao People\" ... why so complicated?

Why they dont just build this into msqli so we dont have to worry abut it....uurgh

[StrangerInBeijing]

Have you tried using mysql_real_escape_string?

same result

[penagate]

This works fine as in phpmyadmin i see "Lao People\'s Republic"

No, no, no. The backslash must not go into the database.

Why they dont just build this into msqli so we dont have to worry abut it....uurgh

If you are using mysqli, use parameters so that you don't have to worry about this nonsense.

[StrangerInBeijing]

The bit I know I learned from a book, which suggested mysqli. Seeing it's "newer" I sticked to it, but don't know what you mean use parameters.
Mind giving me a push in right direction?

[StrangerInBeijing]

You mean this? (just googled) <?php

Code:

$mysqli = new mysqli('localhost', 'user', 'password', 'world');

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
$stmt->execute();

printf("%d Row inserted.\n", $stmt->affected_rows);

/* close statement and connection */
$stmt->close();

/* Clean up table CountryLanguage */
$mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'");
printf("%d Row deleted.\n", $mysqli->affected_rows);

/* close connection */
$mysqli->close();
?>

[penagate]

Yeah, that's the one.

[StrangerInBeijing]

so no stripslashes, addslashes, real_escape_string or any of that no more?

[penagate]

You may want to keep the code that runs stripslashes if magic quotes are enabled. Don't add slashes into parameter variables.

[StrangerInBeijing]

Dont know how to use that in a scenario like this.
Thing is I cannot know how many columns there will be in the table. A column for a language get added when a language are activated.

My code use the following function to add a record, by passing 2 arrays, one with the column names that were determined ealier that will look like:
[0]='id', [1]='en',[2]='zh' and so on (this will be the columns currently in the translation table.
The second array is the values and will look like [en]='English Value',[zh]='Chinese Value, and so on.
I call the following function passing this two arrays:

Code:

function add_translation($columns,$post)  {
	//start the query string
	$sql = "INSERT INTO translations(";
	//add the columns to which data will be written
	foreach ($columns as $value)  {
		if($value!='id')
			$sql .=$this->slash($value).",";
	}
	//remove the comma that will be at end and add bracket
	$sql = substr($sql,0,strlen($sql)-1).") VALUES(";
	//add the values to the query string
	foreach ($columns as $value)  {
		if($value!='id')
			$sql.= "'".$post[$value]."',";
	}
	//remove the comma that will be at end and add bracket
	$sql = substr($sql,0,strlen($sql)-1).")";
	//excecute and return new id
	$this->conn->query($sql);
	return mysqli_insert_id($this->conn);
}

[StrangerInBeijing]

maybe i should do sth like this? (does not work though)

idea is do one value at a time, starting with and insert (as the en (english) column and id column will always be present.

Code:

	function add_translation($columns,$post)  {
		//we will always have english, so use english value to CREATE new record
		$stmt = $this->con->prepare("INSERT INTO translations VALUES (?)");
		$stmt->bind_param('s', $lang);
		$lang = $post['en'];
		$stmt->execute();
		if($stmt->affected_rows < 1)
			return 'could not insert';
		$newid = mysqli_insert_id($this->conn);
		foreach ($columns as $value)  {
			if($value!='en' && $value!='id')  {
				$stmt = $this->con->prepare("UPDATE translations SET ".$value." =? WHERE id=?");
				$stmt->bind_param('si',$value,$newid);
				$stmt->execute();
				$stmt->close();				
			}
		}
	}

[StrangerInBeijing]

trying the old way again, but going insane....

mysqli_real_escape_string($this->conn, $post[$value]) ... this insert "aaa's" as "aaaa\'s" in the database. (which they say is wrong).....so no matter how one try to read it back, you never get it right.

[StrangerInBeijing]

seems you are wrong penegate

The following function works fine:

Code:

function add_translation($value)  {
	$stmt = $this->conn->prepare("INSERT INTO translations (en) VALUES (?)");
	$stmt->bind_param('s', $value);
	/* execute prepared statement */
	$stmt->execute();
	/* close statement and connection */
	$stmt->close(); 
	return mysqli_insert_id($this->conn);
}

It will save "aaa's" as "aaa\'s" in the database.
And if I read that back without stripslashes I get "aaa\", while with stripslashes I get "aaa"

[StrangerInBeijing]

oh god..all this time wasted.
check this out.....
if if try display the value as above inside a text box it does that.
when i display it as text on a page it shows correctly

[StrangerInBeijing]

hahhaahahhahahahaha

changed

Code:

<input name=".$value."[] type='text' id=".$value." value='".stripslashes($row->$value)."' />

to

Code:

<input name=".$value."[] type='text' id=".$value." value=".stripslashes($row->$value)." />

fine!!!!!!!!!!!!!