Why are my (") preceded by a (\) when I use the post function in PHP? Is there a way to halt this?

No Matter What, When You Use "quotes" in a document and use PHP to send it, it will always put a \ before them EG. \". Incidentally, every time you save the document after that, it adds another \ EG. 2 saves = \\" , 3 saves = \\\", and so on.

Every PHP script I have used does this :crazy:

Does Anyone Know Anything About Solving This Problem, Or Even Why It Does It?

i think that u should use ' inside "" section

for example:
$query = "SELECT * FROM name WHERE sth='$other' and sth2=$other2 ORDER BY other";

u see
querry is = "..."
and inside u have other sections .. BUT you're iside "... " so u use '.. '

it's because of differencs of '...' and "..."
alternatively u can use \"...\" instead of '...'

r

" (double quote)
' (single quote)
`(back quote thingy)

These characters all indicate the start of a new string in php (and in most all languages. A valid string must have a start and end quote:

"this is a valid string"
"this is not" a valid string"
in the above example "this is not" is a valid string but 'a valid string"' is not. so php tries to interpert the non string as php and turns everything else into a string. the same goes for single quotes:

'this is a valid string'
'although this one isn't'

the same rules for a double quote apply to the single quote. As you can see from the example above, this can get messy if you wanted to use single quotes ( ' ).

escaped characters:
escaped characters allow special characters to be used (such as single quotes). Escaped characters are preceded by a backslash (\):

'this is a valid string'
'although this one isn\\'t'so instead of php interpreting ' as the start of a new string, it interprets \\' as a single quote
common escape characters:
\n -creates a new line (same as pressing enter)
\\' - single quote
\" - double quote
\\ - backslash
\t - tab

why does php add escape characters?
There is a thing in php called magic quotes gpc. Which, if turned on, adds escaped characters to all GET/POST/Cookie (GPC) operations. it can be turned on/off at runtime(if the server allows) or in the php ini file. To check whether it is one or not:

get_magic_quotes_gpc() // will return true if on, flase if not There are many important reasons WHY this is turned on security, and the fact that it could mess up a SQL query; just to name a few. In fact it is important to escape a string before query if magic quotes aren't on
if(!get_magic_quotes_gpc()){
mystring = addslashes(mystring);
}
i'll use mysql_real_escape_string() too though.

finally, in order to rid yourself of the slashes, just use the function stripslashes to remove the escaped characters:

myunescapedstring = stripslashes(myescapedstring);

and the fact that it could mess up a SQL query

yup, in fact whenever someone asks me to test a web app, I always try entering this:


'; DROP DATABASE mysql; --

:bad: :bad:

:P exactly