-- Mauricio Cuenca <[EMAIL PROTECTED]> wrote (on Thursday, 27 March 2008, 05:20 AM -0700): > This post just gets me more confused, because I'm using $db->quote() in > almost all my inserts, but when I get the data back, all my carriage returns > are converted to \n\r
The above is likely something to do with your database or with the input provided, not with Zend_Db. > and single quotes become \'. I also used PHP's > stripslashes() but has no effect on carriage returns. My guess is that you have magic_quotes_gpc on, so data is getting into the database with quotes escaped. Please make sure this setting is off. Zend_Db_Adapter::quote() itself will only escape quotes for insertion; when you get them back from the database, they will not be quoted. What *can* happen, however, is double escaping, which typically happens when you have magic_quotes_gpc on *and* use a tool such as Zend_Db_Adapter::quote(); this leads to the exact situation you've described. > Is there an effective way to "unquote" results that where inserted using > quote() ? > > Thanks! > > Mauricio > > > > Matthew Ratzloff wrote: > > > > Hi Jared, > > > >> I'm just now learning all the intricacies of preventing SQL injection > >> attacks. I understand the value of using Zend_Db quoting for values that > >> can be manipulated by users.. what I can't find, though, is a good > >> "unescape" command. > >> > >> If I have an article, for example, that I want to store and then retrieve > >> and display, I'll quote the article before insertign it. This will, > >> ofcourse, escape all quotes, but it will also put a set of single quotes > >> around my entire article. When I then retrieve the article and run > >> "stripslashes()" to unescape the quotes, it leaves the surrounding single > >> quotes. > > > > Looking at your example, I think you may be a little confused. Escaping > > certain characters in preparation for use in an SQL statement simply > > inserts the values as intended to be read by the end user into the > > database. There's no need to unescape them following a SELECT statement > > because no escape characters are stored in the database record. > > > > For anyone else that's curious--without escaping, someone might enter the > > following: > > > > Username: admin > > Password: ' OR '1' = '1 > > > > If it's not properly filtered, it could break out of the "AND Password = > > '(password)'" portion of the WHERE clause and return admin without > > properly authenticating them. > > > > Hope that helps, > > > > -Matt > > > > > > > > -- > View this message in context: > http://www.nabble.com/quoteOutOf--tp6416052p16324521.html > Sent from the Zend Framework mailing list archive at Nabble.com. > -- Matthew Weier O'Phinney PHP Developer | [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
