I'm quite frustrated. I want to be able to insert into my database names with single quotes - for example, O'Connor.
So, when inserting into the DB, I do:
$lname = mysql_real_escape_string($_POST['lname']);
And then I insert $lname into the DB.
When it's in the DB, it appears as O'Connor.
So, if I were to recall that last name in my web application, I will have to use:
$lname = stripslashes($r["lname"]);
This all seems to work fine. However, I have a search function which will search for last names and display the results. When I search, I have to search for O'Connor in order to get any results.
You see, after I search, the textbox automatically stores the value of what was just searched for (using sessions). So my code is this:
$search = mysql_real_escape_string($_GET['search']);
$_SESSION['search'] = $search;
Like I said before, when I search, I have to use "O'Connor", and then after I search, the value in the textbox becomes "O\\'Connor"
It's been frustrating trying to figure this out. Does anyone know what I'm doing wrong? Thanks!
EDIT:
Here is my php5.ini file, regarding magic quotes:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of ').
magic_quotes_sybase = Off
However, my site is hosted on GoDaddy, and I do not have permissions to edit the file :(
See Question&Answers more detail:
os