Thanks, Set magic_quotes_gpc Off helped me out.
Matthew Weier O'Phinney-3 wrote: > > -- Mauricio Cuenca <[email protected]> wrote > (on Thursday, 27 March 2008, 05:20 AM -0700): >> This post just gets me more confused, because I'm using $db->quote() in >> almost all my inserts, but when I get the data back, all my carriage >> returns >> are converted to \n\r > > The above is likely something to do with your database or with the input > provided, not with Zend_Db. > >> and single quotes become \'. I also used PHP's >> stripslashes() but has no effect on carriage returns. > > My guess is that you have magic_quotes_gpc on, so data is getting into > the database with quotes escaped. Please make sure this setting is off. > > Zend_Db_Adapter::quote() itself will only escape quotes for insertion; > when you get them back from the database, they will not be quoted. What > *can* happen, however, is double escaping, which typically happens when > you have magic_quotes_gpc on *and* use a tool such as > Zend_Db_Adapter::quote(); this leads to the exact situation you've > described. > >> Is there an effective way to "unquote" results that where inserted using >> quote() ? >> >> Thanks! >> >> Mauricio >> >> >> >> Matthew Ratzloff wrote: >> > >> > Hi Jared, >> > >> >> I'm just now learning all the intricacies of preventing SQL injection >> >> attacks. I understand the value of using Zend_Db quoting for values >> that >> >> can be manipulated by users.. what I can't find, though, is a good >> >> "unescape" command. >> >> >> >> If I have an article, for example, that I want to store and then >> retrieve >> >> and display, I'll quote the article before insertign it. This will, >> >> ofcourse, escape all quotes, but it will also put a set of single >> quotes >> >> around my entire article. When I then retrieve the article and run >> >> "stripslashes()" to unescape the quotes, it leaves the surrounding >> single >> >> quotes. >> > >> > Looking at your example, I think you may be a little confused. >> Escaping >> > certain characters in preparation for use in an SQL statement simply >> > inserts the values as intended to be read by the end user into the >> > database. There's no need to unescape them following a SELECT >> statement >> > because no escape characters are stored in the database record. >> > >> > For anyone else that's curious--without escaping, someone might enter >> the >> > following: >> > >> > Username: admin >> > Password: ' OR '1' = '1 >> > >> > If it's not properly filtered, it could break out of the "AND Password >> = >> > '(password)'" portion of the WHERE clause and return admin without >> > properly authenticating them. >> > >> > Hope that helps, >> > >> > -Matt >> > >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/quoteOutOf--tp6416052p16324521.html >> Sent from the Zend Framework mailing list archive at Nabble.com. >> > > -- > Matthew Weier O'Phinney > PHP Developer | [email protected] > Zend - The PHP Company | http://www.zend.com/ > > -- View this message in context: http://www.nabble.com/quoteOutOf--tp6416052p21051870.html Sent from the Zend Framework mailing list archive at Nabble.com.
