Thanks for the reply, but I still can't seem to make the connection...
If I enter the value
123\/'
in a web form and put the form post value directly into the db (no
stripslashes or any other function), the value as reported by the db at a
command line query is
123\/'
(it LOOKS like the same value that was entered), but to get it to return
that value, at the command prompt, I have to enter
select * from users where password = 123/\';.
OK, that makes sense. You have to 'slash' or escape every escape or
delimiter character. So, the value is apparently getting into the db
properly. Now, when I enter that same value (minus the outside quotes) into
the form field and then compare that with the value in the db, they don't
match.
I've tried add and strip slashes in various combinations, but that makes no
difference. I suspect there are some HTML entities or some other odd URL
encoding problem??? My app has a feature that will remind a user of their
password. This returns in an email exactly what I'd expect, that is,
123\/'
I can't see how to make the round trip from the original input into the db
and then back out again intact so it will 'match itself'...
That behavior doesn't seem to match the magic_quotes docs.
My current project is the first real app I have done for the Air Force in
PHP. Most of the PHP work I have done is for query only db interfaces,
counters, REMOTE_HOST tests for dynamic links or doing form-to-email type
stuff. Entering data INTO a db adds a whole new set of challenges.
I'd appreciate any other advice or clarification you could offer.
Thanks,
-Original Message-
From: John W. Holmes [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 07, 2003 4:25 PM
To: 'Rob Walls'; [EMAIL PROTECTED]
Subject: RE: [PHP] Escaping Chars
I need to get a password value from a form, store it in a database and
then
later be able to compare a login password to the one stored in the db.
This works great unless the password contains the '\' char.
magic_quotes_gpc is ON and magic_quotes_runtime is OFF.
As a klude, I tried just removing slashes from the input password
using
stripslashes() before storing it in the db and then testing to see if
stripslashes(val from db)=stripslashes(val from form) in the login
test to
see if they match. (the user shouldn't even know that slashes are
being
striped, so I have to strip them on each input). They still don't
match
if
a slash is input for the original password storage, but I don't know
why.
Okay... you want the slash or escape character there when you insert
it into the database. But, since it's an escape character, it doesn't
actually go into the data of the database. If you put O'Kelly into your
form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that
into the database, it'll use the \ as an escape character and the data
in the database will actually be just O'Kelly. With magic_quotes_runtime
OFF, that's exactly what you'll draw out of the database, too. So, if
you want to compare a form submitted value to a value drawn out of the
database, you have to use stripslashes() on the form data first.
A better option overall is to just do it in your query.
SELECT * FROM table WHERE user = '{$_POST['user']} and password =
'{$_POST['password']}'
Where your form is method=POST... If a row is returned, the username and
password matched. If no row is returned, then one or both didn't match.
---John Holmes...
PS: Just noticed the .af.mil address. Do you do any PHP programming for
the AirForce or is this on your own?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
