On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> On Wednesday 19 December 2001 13:12, you wrote:
> "test\"" === 'test"' evals true :-)
> what I don't get however, the second the var is set like
> $string = "escaping \" quotes";
> the backslash dissapears in the variable. The backslash is no longer there 
> thus so having the statement
> mysql_query("insert into table values(\"$string\")"); 
> would be interpreted:
> mysql_query("insert into table values(\"test"\")");
> in which case the quote shouldn't appear in the database cause it will see 
> that as delimiter of the first one, however I think the mysql_query fixes 
> this by adding a backslash to it which is interpreted by mysql again cause
> it 
> doesn't store the backslash. The only problem i still have is HTML. If i 
> insert quotes into a field and retrieve them for my form like this:
> <INPUT TYPE=TEXT NAME="name" VALUE="$string">
> the value will stop at the first quote in the string dropping the rest on
> the 
> floor since it doesn't recognize is (most likely) as a tag. So there an 
> exploit there (only HTML/Javascript though not PHP) since you could insert a
> field like
> value"><script bla bla bla insert your favorite site mess'm'upper javascript
> here></script><!-- --
> so i need to fix that. otherwise it goes fine. normally i'd understand this 
> perfectly but with all these magic quotes and the mysql functions
> appearantly 
> adding the backslashes for escaping and PHP automatically type casting of 
> variables it has become vague as hell to me :/
> thanks for the help so far people, the sky is finally clearing up :-)

Where possible, I'll use single quoting to avoid chasing down silly escape
mysql_query("insert into table values('$string')");

Try it. Makes life easier.

Don Read                                       [EMAIL PROTECTED]
-- It is necessary for me to learn from others' mistakes. I 
   will not live long enough to make them all by myself.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to