Hi,
I think the reason is that sqlite_escape_string() doubles single quotes to escape them.
However, you have magic_quotes_gpc set to 1 in php.ini
As such, incoming variables are escaped using backslashes.
A solution is to use stripslashes() on the incoming variables if get_magic_quotes_gpc() returns 1, since you cant change magic_quotes_gpc at runtime.
Alternatively, you can alter php.ini, but that's usually not practical.
Eugene Wee
Peter Jay Salzman wrote:
I've nearly completed converting Wheatblog to sqlite. It's been quite a learning experience! I've come across a problem I haven't been able to figure out, though.
Whenever I made a blog post that had a forward quote character (') in either the title or the body of the post, I'd get an error.
After a little Googling, I changed my query to:
$query = "INSERT INTO $database_table
(id, day, month, date, year, category, title, body, showpref)
VALUES (null,
'" . sqlite_escape_string($_POST['the_day']) . "',
'" . sqlite_escape_string($_POST['the_month']) . "',
'" . sqlite_escape_string($_POST['the_date']) . "',
'" . sqlite_escape_string($_POST['the_year']) . "',
'" . sqlite_escape_string($_POST['the_category']) . "',
'" . sqlite_escape_string($_POST['the_title']) . "',
'" . sqlite_escape_string($_POST['the_body']) . "',
'" . sqlite_escape_string($_POST['the_showpref']) . "')";
DB_query($query, $db);
and the definition of DB_query is:
function DB_query($cmd, $db) { $retval = sqlite_query($db, "$cmd") or die('Query Error: ' . sqlite_error_string(sqlite_last_error($db)));
return $retval; }
This works in the sense that forward quotes no longer generate an error. However, whenever I print out a blog post, the forward quotes are all escaped. So if I post:
This contains a ' character.
The post, when printed looks like:
This contains a \' character.
What's the proper way to ensure that ' characters are properly quoted but don't show up in the output?
Thanks! Pete
