Requesting help with preg_replace problem

[CHeighlund]

I'm working on a web form designed to put information into a database and display it at the same time. One of the fields is a textarea, and I'm running into a problem with it. If the text in the textarea includes an apostrophe, it goes into the database correctly, but displays on screen as the (\') set. How do I remove the extraneous \ character? I thought I could do this with preg_replace, but every attempt I've made so far has either done nothing, or thrown an error.

 

[AdaHacker]

You probably have magic quotes turned on in your PHP configuration. This is a "security" (?) feature of PHP whereby it will automatically escape quote marks in GET, POST, and COOKIE data. The idea is "fix" input so that putting those variables directly into your SQL string without validating them won't cause problems.

The solution to your immediate problem is to use stripslashes(). The better solution is to turn off magic quotes and validate everything that you put in SQL queries manually. An even better solution would be to not put user inout directly into SQL statements at all, but rather to use the prepared/parameterized queries available in the PDO and MySQLi extensions.

 

[CHeighlund]

Thank you. I stumbled on that because I was expecting to have to validate everything for the SQL (and was intentionally attempting to break it and see the error); it was kind of surprising that I didn't.

Would it be asking to much to request the name of the correct config file to disable magic quotes?

 

[AdaHacker]

It's in your php.ini file. The exact location of that file will depned on how your server is set up. The relevant variables are magic_quotes_gpc and magic_quotes_runtime.