When putting strings into form values (and maybe other places too), I would
advise wrapping the variable in:
so this:
        <INPUT TYPE=TEXT NAME="name" VALUE="<?= $string; ?>">
would become this:
        <INPUT TYPE=TEXT NAME="name" VALUE="<?= htmlentities($string); ?>">
and magically watch all your troubles melt away - well maybe not ALL your
troubles, but at least the trouble as mentioned below...

If you want to add PHP strings to JavaScript code, use addslashes() instead
- it's as easy as that... :)


-----Original Message-----
From: TD - Sales International Holland B.V. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 7:41 AM
To: Don Read
Subject: Re: [PHP] addslash/stripslashes

On Wednesday 19 December 2001 13:12, you wrote:

"test\"" === 'test"' evals true :-)
what I don't get however, the second the var is set like
$string = "escaping \" quotes";
the backslash dissapears in the variable. The backslash is no longer there 
thus so having the statement

mysql_query("insert into table values(\"$string\")"); 
would be interpreted:
mysql_query("insert into table values(\"test"\")");
in which case the quote shouldn't appear in the database cause it will see 
that as delimiter of the first one, however I think the mysql_query fixes 
this by adding a backslash to it which is interpreted by mysql again cause
doesn't store the backslash. The only problem i still have is HTML. If i 
insert quotes into a field and retrieve them for my form like this:
<INPUT TYPE=TEXT NAME="name" VALUE="$string">
the value will stop at the first quote in the string dropping the rest on
floor since it doesn't recognize is (most likely) as a tag. So there an 
exploit there (only HTML/Javascript though not PHP) since you could insert a

field like
value"><script bla bla bla insert your favorite site mess'm'upper javascript

here></script><!-- --

so i need to fix that. otherwise it goes fine. normally i'd understand this 
perfectly but with all these magic quotes and the mysql functions
adding the backslashes for escaping and PHP automatically type casting of 
variables it has become vague as hell to me :/

thanks for the help so far people, the sky is finally clearing up :-)


> On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> > On Tuesday 18 December 2001 17:01, you wrote:
> >
> > sorry, one more question.
> >
> > I check the database, the character where in there without backslashes.
> > How does this work? Does PHP send the data with or without backslashes
> > the MySQL environment?... I guess it's with since you can do
> > $string = "test\"";
> > $s = $string;
> > and $s will be test" and not test, however when printing $s to output it
> > will
> > also say test" not test\" so I guess it depends on the database module
> > way of
> > handling strings
> Yep. the backslash is an escape interpreted by PHP in double-quoted
> strings. compare :
> $str= "test\"";
> $str= 'test"';
> Regards,

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to