Re: [PHP] storing single and double quote in MySQL
Yesterday I read this discussion and looked at php manual for mysql_real_escape... There is good example with extra function to check php magic quotes status. I like the idea, because the code is more portable. You don't have to add .htaccess files nor configre php.. Beginner Mindaugas On 5/24/06, tedd [EMAIL PROTECTED] wrote: At 8:14 PM +0200 5/24/06, [EMAIL PROTECTED] wrote: if magic_quotes_gpc is On, does it add slashes in front of quotes when submit through form? Mean, if I submit in input form (text) afan's crazy web, after echo $_POST['record']; I'll get afan\'s \crazy\ web. Is this because of magic_quote_gps is On? -afan afan: You're getting the idea. Whatever is in your mysql dB should look just like it would in print with quotes and all -- and without any escape characters preceding them. So, if your records in mysql (when viewed via something like myphpadmin) have something like this O\'Mally, then the data is wrong. It should be O'Mally and thus somewhere you, or magic_quotes, have added slashes. So, backup to your original data, turn magic_quotes OFF, use mysql_real_escape_string to prepare the data and then add that data to your mysql. Upon retrieval of the data from mysql -- if -- you want to show it to a browser, then use htmlentities. Remember mysql_real_escape_string IN and htmlentities OUT and the world will be well. I don't know if you are working in the same type of environment as me, but I fixed mine by adding a .htacess file to my root. The code is simply a text file like so: php_value magic_quotes_gpc 0 php_value magic_quotes_sybase 0 php_value magic_quotes_runtime 0 That might work for you -- others on this list may have more detailed information. In any event, IMO do everything you can to turn magic_quotes OFF because after that, then everything will be easier and you'll never have to worry about when, or if, you should add_lashes, strip_lashes, and other such confusing stuff. hth's tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Mindaugas
Re: [PHP] storing single and double quote in MySQL
I have an access as root user to the server and it shouldn't be a problem to turn Off magic quote, but I really CANNOT do it right now because, as I said earlier, just put live our new (pretty big) web site and there is no chance to put it again under construction for a next couple of weekls (redo site and test it again). As far as I can see, the only solution is make on extra server whole thing and then, once it's finished and tested, replace the old one? Also, there is a lot of info with slashes i DB - that has to be cleaned too, right? But, as sombody mentioned earlier, the whole php development goes in that direction (like global's Off/On before) and one day I will have to do it anyway. But, at least I can wait for version 2.0 of the web site :). Thanks. -afan At 8:14 PM +0200 5/24/06, [EMAIL PROTECTED] wrote: if magic_quotes_gpc is On, does it add slashes in front of quotes when submit through form? Mean, if I submit in input form (text) afan's crazy web, after echo $_POST['record']; I'll get afan\'s \crazy\ web. Is this because of magic_quote_gps is On? -afan afan: You're getting the idea. Whatever is in your mysql dB should look just like it would in print with quotes and all -- and without any escape characters preceding them. So, if your records in mysql (when viewed via something like myphpadmin) have something like this O\'Mally, then the data is wrong. It should be O'Mally and thus somewhere you, or magic_quotes, have added slashes. So, backup to your original data, turn magic_quotes OFF, use mysql_real_escape_string to prepare the data and then add that data to your mysql. Upon retrieval of the data from mysql -- if -- you want to show it to a browser, then use htmlentities. Remember mysql_real_escape_string IN and htmlentities OUT and the world will be well. I don't know if you are working in the same type of environment as me, but I fixed mine by adding a .htacess file to my root. The code is simply a text file like so: php_value magic_quotes_gpc 0 php_value magic_quotes_sybase 0 php_value magic_quotes_runtime 0 That might work for you -- others on this list may have more detailed information. In any event, IMO do everything you can to turn magic_quotes OFF because after that, then everything will be easier and you'll never have to worry about when, or if, you should add_lashes, strip_lashes, and other such confusing stuff. hth's tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to add
to DB and stripslashe() to show on screen.
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
I', really confused.
Richard Lynch wrote:
On Mon, May 22, 2006 11:37 am, Brad Bonkoski wrote:
http://www.php.net/manual/en/function.stripslashes.php
if you have to dump that information back to the users.
If you are using http://php.net/stripslashes on data coming out of
your database, you are DEFINITELY doing something wrong acquiring that
data.
Stripslashes is correctly used ONLY when:
1. You have Magic Quotes on, and
2. You need to display/use the incoming data for something other than
MySQL in the same script that does the INSERT
Even then, you really ought to turn off Magic Quotes and migrate to
http://php.net/mysql_real_escape_string
Thanks for your constructive criticism Sorry for the original bad
advice.
So, when the magic_quotes goes away in future version, with
stripslashes() also go away?
-Brad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
[EMAIL PROTECTED] wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
ok. I just made one test and if you can then explain something to me:
I entered in form (textarea)
afan's crazy web
and stored in db using mysql-real_escape_string().
in DB, it's stored with slashes:
afan\'s \crazy\ web
Then I pulled that from DB on three different ways:
$query = mysql_query(select test from dbtest where rec_id = 5);
$result = mysql_fetch_array($query);
echo $result['gen_value']; // gives afan\'s \crazy\ web
echo stripslashes($result['gen_value']);// gives afan's
crazy web
echo htmlentities($result['gen_value']);// gives afan\'s
\crazy\ web
if stripslashes() is not correcct to use - what then?!?
-afan
[EMAIL PROTECTED] wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and
strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to
add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen.
I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
[EMAIL PROTECTED] wrote: ok. I just made one test and if you can then explain something to me: I entered in form (textarea) afan's crazy web and stored in db using mysql-real_escape_string(). in DB, it's stored with slashes: afan\'s \crazy\ web Then I pulled that from DB on three different ways: $query = mysql_query(select test from dbtest where rec_id = 5); $result = mysql_fetch_array($query); echo $result['gen_value']; // gives afan\'s \crazy\ web echo stripslashes($result['gen_value']);// gives afan's crazy web echo htmlentities($result['gen_value']);// gives afan\'s \crazy\ web if stripslashes() is not correcct to use - what then?!? You're missing the main issue. You shouldn't have any 'escape' slashes in your db. I'm betting your php install has magic_quotes* enabled, so what's happening is this: User inputs data magic_quotes escapes that data *you* escape the data data is inserted into the db. Either turn magic_quotes off or stripslashes() *before* you use mysql_real_escape_string() You shouldn't have to stripslashes() coming out of the db. -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
in your php.ini file what is the value of:
magic_quotes_gpc?
(hint: should be off, if it is on, then you are add slashes twice...)
-Brad
[EMAIL PROTECTED] wrote:
ok. I just made one test and if you can then explain something to me:
I entered in form (textarea)
afan's crazy web
and stored in db using mysql-real_escape_string().
in DB, it's stored with slashes:
afan\'s \crazy\ web
Then I pulled that from DB on three different ways:
$query = mysql_query(select test from dbtest where rec_id = 5);
$result = mysql_fetch_array($query);
echo $result['gen_value']; // gives afan\'s \crazy\ web
echo stripslashes($result['gen_value']);// gives afan's
crazy web
echo htmlentities($result['gen_value']);// gives afan\'s
\crazy\ web
if stripslashes() is not correcct to use - what then?!?
-afan
[EMAIL PROTECTED] wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and
strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to
add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen.
I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
I', really confused.
One thing that might help is to understand why you are doing
something. As everyone has said, mysql_real_escape_string escapes
characters to prevent SQL injection. The reason we do this is to tell
the system that the data we are putting into the system is just data,
not syntax characters.
An example is this:
Say I want to echo out a string exactly variables should be in this
format: $variable. So I make this code block:
?php
echo variables should be in this format: $variable;
?
That would give this output:
variables should be in this format:
And throw this error:
[error] PHP Notice: Undefined variable: variable in
/Users/eric/Sites/meh.php on line 3
The reason is because PHP parsed $variable and saw that it was
undefined. So to get it to show up I would have to do this:
?php
echo variables should be in this format: \$variable;
?
And I get this output:
variables should be in this format: $variable
By adding the \ infront of the $ I escaped it and told the parser to
ignore that. That is what all functions like mysql_real_escape_string
and htmlentities do. They tell whatever parser to ignore what is
happening (more or less:))
So when you have a page like this:
page.php?id=34
... that eventually gets piped into this ...
$sql = SELECT id, title FROM sometable WHERE id='. $_GET['id'] .';
People will know that 34 is being put into a DB. So they might try to
add raw SQL commands to your ?id=. This is why we use
mysql_real_escape_string to prevent people from injecting SQL commands
into your raw data. It is also used to prevent your data from mixing
with SQL commands too like if you had a form that submitted an input
field to update a table and I type in Eric's Data would end up:
UPDATE sometable SET title = 'Eric's Data' WHERE id=32;
This would cause an error You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's Data' WHERE id=32' at line 1 That is why magic
quotes exists. It automatically escapes quotes for you so that you
don't have to worry about this. So on POSTing of this form Eric's
Data becomes Eric\'s Data.
When you addslashes or use mysql_real_escape_string with magic quotes
on it will add another escape \ to the quote (leading to Eric\\'s
Data) which would lead to you having to use stripslahes when you pull
this record back out of sometable. As you have read, you shouldn't
have to use stripslashes. mysql_real_escape_string and stripslahes
only escape characters for the SQL query to work. They don't actually
go into the database just like when we did echo \$variable; you
didn't see \$variable in the output.
Hopefully this will clear up a few things for you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
Ok. Looks like I DID miss the point :)
I thought that with mysql_real_escape_string() HAVE TO add slash in front
of a quote and THAT's filtering.
:(
Ok. slash SHOULDN'T be in DB!
:)
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on screen.
I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
I', really confused.
One thing that might help is to understand why you are doing
something. As everyone has said, mysql_real_escape_string escapes
characters to prevent SQL injection. The reason we do this is to tell
the system that the data we are putting into the system is just data,
not syntax characters.
An example is this:
Say I want to echo out a string exactly variables should be in this
format: $variable. So I make this code block:
?php
echo variables should be in this format: $variable;
?
That would give this output:
variables should be in this format:
And throw this error:
[error] PHP Notice: Undefined variable: variable in
/Users/eric/Sites/meh.php on line 3
The reason is because PHP parsed $variable and saw that it was
undefined. So to get it to show up I would have to do this:
?php
echo variables should be in this format: \$variable;
?
And I get this output:
variables should be in this format: $variable
By adding the \ infront of the $ I escaped it and told the parser to
ignore that. That is what all functions like mysql_real_escape_string
and htmlentities do. They tell whatever parser to ignore what is
happening (more or less:))
So when you have a page like this:
page.php?id=34
... that eventually gets piped into this ...
$sql = SELECT id, title FROM sometable WHERE id='. $_GET['id'] .';
People will know that 34 is being put into a DB. So they might try to
add raw SQL commands to your ?id=. This is why we use
mysql_real_escape_string to prevent people from injecting SQL commands
into your raw data. It is also used to prevent your data from mixing
with SQL commands too like if you had a form that submitted an input
field to update a table and I type in Eric's Data would end up:
UPDATE sometable SET title = 'Eric's Data' WHERE id=32;
This would cause an error You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's Data' WHERE id=32' at line 1 That is why magic
quotes exists. It automatically escapes quotes for you so that you
don't have to worry about this. So on POSTing of this form Eric's
Data becomes Eric\'s Data.
When you addslashes or use mysql_real_escape_string with magic quotes
on it will add another escape \ to the quote (leading to Eric\\'s
Data) which would lead to you having to use stripslahes when you pull
this record back out of sometable. As you have read, you shouldn't
have to use stripslashes. mysql_real_escape_string and stripslahes
only escape characters for the SQL query to work. They don't actually
go into the database just like when we did echo \$variable; you
didn't see \$variable in the output.
Hopefully this will clear up a few things for you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
if magic_quotes_gpc is On, does it add slashes in front of quotes when
submit through form?
Mean, if I submit in input form (text) afan's crazy web, after
echo $_POST['record'];
I'll get afan\'s \crazy\ web. Is this because of magic_quote_gps is On?
-afan
Security wise, it is best to turn it off...
Yes, you *might* have to redo code if you turn it off...
(Of course in future versions you will not be able to turn it on, so
code migration might be better now then later)
Your options are:
- turn it off, see what breaks and fix it.
- or use the stripslashes() function on all $_POST, session and cookie
variables *before* you use the mysql_real_escape_string() function. You
only really need to do such things when that data is going into the
database! So any control variables passed via get, post, etc.. do not
need to be cleaned up, just use as they are.
-Brad
[EMAIL PROTECTED] wrote:
yes. it's *On*
if I turn it Off - I have to redo a lot of code, then right?
What would be the best solution (and few options too :))?
-afan
in your php.ini file what is the value of:
magic_quotes_gpc?
(hint: should be off, if it is on, then you are add slashes twice...)
-Brad
[EMAIL PROTECTED] wrote:
ok. I just made one test and if you can then explain something to me:
I entered in form (textarea)
afan's crazy web
and stored in db using mysql-real_escape_string().
in DB, it's stored with slashes:
afan\'s \crazy\ web
Then I pulled that from DB on three different ways:
$query = mysql_query(select test from dbtest where rec_id = 5);
$result = mysql_fetch_array($query);
echo $result['gen_value']; // gives afan\'s \crazy\ web
echo stripslashes($result['gen_value']);// gives afan's
crazy web
echo htmlentities($result['gen_value']);// gives afan\'s
\crazy\
web
if stripslashes() is not correcct to use - what then?!?
-afan
[EMAIL PROTECTED] wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more
I
read - less is clear :(
Before, I used addslash() before I insert data in database and
strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string()
to
add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is filter for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
a href=index.php?action=addrec_id=$rec_idAdd new/a
a href=index.php?action=editrec_id=$rec_idEdit/a
a href=index.php?action=deleterec_id=$rec_idDelete/a
and was doing this way:
#index.php
?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?
it means that $action I will never store in DB, neither show on
screen.
I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing
is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On 5/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: if magic_quotes_gpc is On, does it add slashes in front of quotes when submit through form? Mean, if I submit in input form (text) afan's crazy web, after echo $_POST['record']; I'll get afan\'s \crazy\ web. Is this because of magic_quote_gps is On? Yep! http://us2.php.net/magic_quotes What are Magic Quotes When on, all ' (single-quote), (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
At 8:14 PM +0200 5/24/06, [EMAIL PROTECTED] wrote: if magic_quotes_gpc is On, does it add slashes in front of quotes when submit through form? Mean, if I submit in input form (text) afan's crazy web, after echo $_POST['record']; I'll get afan\'s \crazy\ web. Is this because of magic_quote_gps is On? -afan afan: You're getting the idea. Whatever is in your mysql dB should look just like it would in print with quotes and all -- and without any escape characters preceding them. So, if your records in mysql (when viewed via something like myphpadmin) have something like this O\'Mally, then the data is wrong. It should be O'Mally and thus somewhere you, or magic_quotes, have added slashes. So, backup to your original data, turn magic_quotes OFF, use mysql_real_escape_string to prepare the data and then add that data to your mysql. Upon retrieval of the data from mysql -- if -- you want to show it to a browser, then use htmlentities. Remember mysql_real_escape_string IN and htmlentities OUT and the world will be well. I don't know if you are working in the same type of environment as me, but I fixed mine by adding a .htacess file to my root. The code is simply a text file like so: php_value magic_quotes_gpc 0 php_value magic_quotes_sybase 0 php_value magic_quotes_runtime 0 That might work for you -- others on this list may have more detailed information. In any event, IMO do everything you can to turn magic_quotes OFF because after that, then everything will be easier and you'll never have to worry about when, or if, you should add_lashes, strip_lashes, and other such confusing stuff. hth's tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On Mon, 22 May 2006, John Nichel wrote: Brad Bonkoski wrote: Looks good to me, just make sure you use: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. (you might want to check out: addslashes() to add the slashes before your DB insert, just to keep those things under your command) -Brad No, no, no. Bad coder. I was about to say the same! ;-) Always, always, always... mysql_real_escape_string() The best way is to use PEAR::DB and work with quoteSmart() :-D -- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18 - Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática| '@' || 'unl.edu.ar'; Universidad Nacional| DBA, Programador, del Litoral | Administrador - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On Mon, 22 May 2006, Richard Lynch wrote: On Mon, May 22, 2006 11:25 am, [EMAIL PROTECTED] wrote: After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way No. If you still see \' in your data after it's in MySQL, then you have done TWO escapes, and should have only done ONE. By the way, the right way to escape single quotes is by adding anothe single quote (this is SQL standard). Somthing like: O'Conner -- O''Conner -- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18 - Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática| '@' || 'unl.edu.ar'; Universidad Nacional| DBA, Programador, del Litoral | Administrador - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] storing single and double quote in MySQL
Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? Thanks for any thoughts! -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
Looks good to me, just make sure you use: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. (you might want to check out: addslashes() to add the slashes before your DB insert, just to keep those things under your command) -Brad [EMAIL PROTECTED] wrote: Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? Thanks for any thoughts! -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On 5/22/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? Thanks for any thoughts! -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Looks like you're having a problem with magic quotes. Look at the examples: http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
Brad Bonkoski wrote: Looks good to me, just make sure you use: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. (you might want to check out: addslashes() to add the slashes before your DB insert, just to keep those things under your command) -Brad No, no, no. Bad coder. Correct way is to escape the data being put into your db with mysql_real_escape_string(), and have magic_quotes OFF. There is no need to stripslashes() when retrieving the data (and you'll end up stripping slashes that are supposed to be in the data). htmlentities() is better used for displaying data (or passing it from one page to the next), pretty useless for db entries. Always, always, always... mysql_real_escape_string() Bare minimum. [EMAIL PROTECTED] wrote: Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? Thanks for any thoughts! -afan -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
Brad Bonkoski wrote: Looks good to me, just make sure you use: http://www.php.net/manual/en/function.stripslashes.php this is bad advice... if you have to dump that information back to the users. (you might want to check out: addslashes() to add the slashes before having to use stripslashes() and/or addslashes() when putting stuff into the DB and/or when outputting stuff coming from the database indicates that there is something (subtly?) wrong with the code in question. your DB insert, just to keep those things under your command) 1. make sure add_magic_quotes [or whatever it's called exactly] (and all it's siblings) are off. 2. use mysql_escape_string() or mysql_real_escape_string() [preferred] to escape data begin put into the DB 3. use something like htmlentities() when displaying stuff in the browser coming from the DB - this is dependent on what exactly you are displaying and in what context -you don't want to entitize HTML that is meant to be used as HTML (but then you would want to entitize the same HTML if you were displaying the HTML in a textarea for editing purposes... always beware of cross-site-scripting vulnerabilities, which comes down to: 1. clean validate your input 2. use correct escaping when outputting (e.g. outputting to the DB, outputting to the browser, etc) oh read all of phpsec.org - that site goes to great pains to explain the security issues inherent in [not] escaping/validating input/output. -Brad [EMAIL PROTECTED] wrote: Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? Thanks for any thoughts! -afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] storing single and double quote in MySQL
On 22 May 2006 17:37, Brad Bonkoski wrote: Looks good to me, just make sure you use: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. (you might want to check out: addslashes() to add the slashes before your DB insert, just to keep those things under your command) -Brad Aaaarrrggghhh!! NO, NO, NO!!! If you need to stripslashes() the data coming out of your database, than you haven't put it in right. An addslashes(), or more correctly mysql_real_escape_string() as afan is doing, is simply to make sure that characters which need escaping to get put into the database right are in fact escaped. The escape characters themselves should NOT make it into the database. [EMAIL PROTECTED] wrote: Hi to all! After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? What are your magic_quotes_*() settings? It sounds like your data is getting escaped twice. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On Mon, May 22, 2006 11:25 am, [EMAIL PROTECTED] wrote: After the form is submitted, some fields are filled with single and/or double quote info (like: 1'2x2'4, or sky's blue, or cool stuff). I validate what I got using mysql_real_escape_string() and then store the result in MySQL. And, it will be stored as:1\'2\x2\'4\, and sky\'s blue, and \cool\ stuff. Is this correct way No. If you still see \' in your data after it's in MySQL, then you have done TWO escapes, and should have only done ONE. Your data is now corrupt. or correct way will be to convert quotes in html entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)? You would need to use htmlentities ONLY when you send the data out to a web browser, and ONLY at the last second before it goes to the browser. Don't store the htmlentities() version in your data -- Keep the data clean, so that you can, for example, export it, search it, sort it, send it out as XML or RSS or whatever. Only the data actually going to the browser needs htmlentities() -- Calling htmlentities() anywhere else just introduces problems down the line, sooner or later. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On Mon, May 22, 2006 11:37 am, Brad Bonkoski wrote: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. If you are using http://php.net/stripslashes on data coming out of your database, you are DEFINITELY doing something wrong acquiring that data. Stripslashes is correctly used ONLY when: 1. You have Magic Quotes on, and 2. You need to display/use the incoming data for something other than MySQL in the same script that does the INSERT Even then, you really ought to turn off Magic Quotes and migrate to http://php.net/mysql_real_escape_string -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
Richard Lynch wrote: On Mon, May 22, 2006 11:37 am, Brad Bonkoski wrote: http://www.php.net/manual/en/function.stripslashes.php if you have to dump that information back to the users. If you are using http://php.net/stripslashes on data coming out of your database, you are DEFINITELY doing something wrong acquiring that data. Stripslashes is correctly used ONLY when: 1. You have Magic Quotes on, and 2. You need to display/use the incoming data for something other than MySQL in the same script that does the INSERT Even then, you really ought to turn off Magic Quotes and migrate to http://php.net/mysql_real_escape_string Thanks for your constructive criticism Sorry for the original bad advice. So, when the magic_quotes goes away in future version, with stripslashes() also go away? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing single and double quote in MySQL
On Mon, May 22, 2006 3:05 pm, Brad Bonkoski wrote: So, when the magic_quotes goes away in future version, with stripslashes() also go away? Probably not right away... Some folks are bound to have a zillion records in their database that already got inserted with TWO calls to addslashes/Magic_Quotes/mysql_real_escape_string, and they'll want stripslashes to un-do the damage. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
