On Wednesday 19 December 2001 13:12, you wrote:
"test\"" === 'test"' evals true :-)
what I don't get however, the second the var is set like
$string = "escaping \" quotes";
the backslash dissapears in the variable. The backslash is no longer there
thus so having the statement
mysql_query("insert into table values(\"$string\")");
would be interpreted:
mysql_query("insert into table values(\"test"\")");
in which case the quote shouldn't appear in the database cause it will see
that as delimiter of the first one, however I think the mysql_query fixes
this by adding a backslash to it which is interpreted by mysql again cause it
doesn't store the backslash. The only problem i still have is HTML. If i
insert quotes into a field and retrieve them for my form like this:
<INPUT TYPE=TEXT NAME="name" VALUE="$string">
the value will stop at the first quote in the string dropping the rest on the
floor since it doesn't recognize is (most likely) as a tag. So there an
exploit there (only HTML/Javascript though not PHP) since you could insert a
field like
value"><script bla bla bla insert your favorite site mess'm'upper javascript
here></script><!-- --
so i need to fix that. otherwise it goes fine. normally i'd understand this
perfectly but with all these magic quotes and the mysql functions appearantly
adding the backslashes for escaping and PHP automatically type casting of
variables it has become vague as hell to me :/
thanks for the help so far people, the sky is finally clearing up :-)
regards
> On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> > On Tuesday 18 December 2001 17:01, you wrote:
> >
> > sorry, one more question.
> >
> > I check the database, the character where in there without backslashes.
> > How does this work? Does PHP send the data with or without backslashes to
> > the MySQL environment?... I guess it's with since you can do
> > $string = "test\"";
> > $s = $string;
> > and $s will be test" and not test, however when printing $s to output it
> > will
> > also say test" not test\" so I guess it depends on the database module
> > way of
> > handling strings
>
> Yep. the backslash is an escape interpreted by PHP in double-quoted
> strings. compare :
>
> $str= "test\"";
> $str= 'test"';
>
> Regards,
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
