[thelist] Single and double quotes - forms and mysql

Bob Meetin bobm at dottedi.biz
Mon Sep 23 21:49:03 CDT 2013

I'm trying to solve a problem of inserting form data that may contain single/double quotes into mysql without using mysql_real_escape_string combined with addslashes or stripslashes.

SQl injection is not a concern as the form(s) will only be accessible to a password-protected administrator.

Why not addslashes/stripslashes/mysql_real_escape_string? The function that outputs content to the visitor is controlled by joomla and I cannot (at least easily) sort of how to fix it to add 'stripslashes' without breaking something else and future upgrades. Dominos. The output pages will contain both joomla content and the supplemental content I will be adding to specific pages.

I want to avoid having a ton of backslashes in the output, as in

<div class=`myclass\'>Single quotes</div>  or <div class=\"myclass\">Double quotes</div>

I don't know that this actually breaks anything, SEO or validation, but it looks awfully wrong.

I looked through the content table as stored in joomla article content table and it is stored straight without backslases escaping either single or double quotes, so presumably the joomla input forms use a custom method to sanitize the data.

mysql> select id, title, introtext from  akxzm_content where title like "%o%"  order by id desc limit 1;
| id   | title                  | introtext              |
| 5145 | Bob's Wonderful "Life" | Bob's Wonderful "Life" |
1 row in set (0.00 sec)

How do you set up form text fields and the mysql insert so that both will work with either single or double quotes as above?

Too bad backticks does not seem to work. I've also looked into converting both single and double quotes into "&apos;" and "&quot;" but am not satisfied with that as the best solution.

Bob Meetin
303-926-0167 (m)

More information about the thelist mailing list