Re: [PHP-DB] Slashes or no slashes

2010-08-24 Thread Chris
In the case that your comparing a field to a field in the database (the field name) do you escape that or because it is hardcoded you dont need to? My thoughts are that you need to escape all data going in. Correct. A field name is not data though. You've already validated it (somehow, either

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 22, 2010, at 7:12 PM, Chris wrote: On 20/08/10 08:05, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Chris
You use mysql_real_escape_string for queries on the way in. $query = select * from table where name='.mysql_real_escape_string($_POST['name']).'; You use htmlspecialchars on the way out: $value = htmlspecialchars($row['name']); -- Postgresql php tutorials http://www.designmagick.com/ --

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 23, 2010, at 8:35 PM, Chris wrote: You use mysql_real_escape_string for queries on the way in. $query = select * from table where name='.mysql_real_escape_string($_POST['name']).'; You use htmlspecialchars on the way out: $value = htmlspecialchars($row['name']); -- Postgresql

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Chris
To be more specific. Is this correct? function confirmUP($username, $password){ $username = mysql_real_escape_string($username); /* Verify that user is in database */ $q = SELECT password FROM TBL-U WHERE username = '$username'; I normally do it in the query in case you use the variable

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 23, 2010, at 9:31 PM, Chris wrote: To be more specific. Is this correct? function confirmUP($username, $password){ $username = mysql_real_escape_string($username); /* Verify that user is in database */ $q = SELECT password FROM TBL-U WHERE username = '$username'; I normally do it

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote: On Aug 23, 2010, at 9:31 PM, Chris wrote: To be more specific. Is this correct? function confirmUP($username, $password){ $username = mysql_real_escape_string($username); /* Verify that user is in database */ $q = SELECT password FROM

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Chris
Just to make sure, cause I am ready to get past this. Is this correct? function confirmUP($username, $password){ /* Verify that user is in database */ $q = SELECT password FROM .TBL_USERS. WHERE username = '.mysql_real_escape_string($username).'; Perfect. /* Retrieve password from result

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 23, 2010, at 10:35 PM, Chris wrote: Just to make sure, cause I am ready to get past this. Is this correct? function confirmUP($username, $password){ /* Verify that user is in database */ $q = SELECT password FROM .TBL_USERS. WHERE username = '.mysql_real_escape_string($username).';

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Chris
Got it. So only when I am going to diplay the result from the database. I see. Or email (or otherwise present it to the user), yes. But for comparing $dbarray['password'] to $password, don't I have to escape $password and then md5 it? Right. -- Postgresql php tutorials

Re: [PHP-DB] Slashes or no slashes

2010-08-23 Thread Karl DeSaulniers
On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote: On Aug 23, 2010, at 10:35 PM, Chris wrote: Just to make sure, cause I am ready to get past this. Is this correct? function confirmUP($username, $password){ /* Verify that user is in database */ $q = SELECT password FROM .TBL_USERS.

Re: [PHP-DB] Slashes or no slashes

2010-08-22 Thread Chris
On 20/08/10 08:05, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need to search with extra slashes for retrieval.

RE: [PHP-DB] Slashes or no slashes

2010-08-19 Thread Daevid Vincent
You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need to search with extra slashes for retrieval. -Original Message- From: Karl DeSaulniers [mailto:k...@designdrumm.com] Sent: Thursday, August 19, 2010 2:29 PM To: php-db@lists.php.net

Re: [PHP-DB] Slashes or no slashes

2010-08-19 Thread Karl DeSaulniers
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need to search with extra slashes for retrieval. -Original Message- From: Karl DeSaulniers [mailto:k...@designdrumm.com] Sent: Thursday,

Re: [PHP-DB] Slashes or no slashes

2010-08-19 Thread Karl DeSaulniers
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need to search with extra slashes for retrieval. -Original Message- From: Karl DeSaulniers [mailto:k...@designdrumm.com] Sent: Thursday,

Re: [PHP-DB] Slashes or no slashes

2010-08-19 Thread Karl DeSaulniers
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't need to search with extra slashes for retrieval. -Original Message- From: Karl

Re: [PHP-DB] Slashes or no slashes

2010-08-19 Thread kapuoriginal
I think you should use prepared statements. Kapu -- From: Karl DeSaulniers k...@designdrumm.com Sent: Friday, August 20, 2010 12:05 AM To: php-db@lists.php.net Subject: Re: [PHP-DB] Slashes or no slashes On Aug 19, 2010, at 4:44 PM, Karl

Re: [PHP-DB] Slashes or no slashes

2010-08-19 Thread Karl DeSaulniers
: Friday, August 20, 2010 12:05 AM To: php-db@lists.php.net Subject: Re: [PHP-DB] Slashes or no slashes On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: You should be using http://us2.php.net/manual/en/function.mysql-escape-string.php You don't

Re: [PHP-DB] Slashes

2003-12-11 Thread Ng Hwee Hwee
Hi, can I know when does the magic_quotes_gpc start adding slashes and stripping slashes? I removed my EscapeShellCmd and my data is inserted and retrieved from the database just as i wanted. The problem now comes when I retrieve that data and immediately inserted them into another table..

Re: [PHP-DB] Slashes

2003-12-11 Thread Jason Wong
On Thursday 11 December 2003 17:27, Ng Hwee Hwee wrote: can I know when does the magic_quotes_gpc start adding slashes and stripping slashes? magic_quotes_gpc is for incoming GET/POST/Cookie data (NB it does not strip slashes) ... I removed my EscapeShellCmd and my data is inserted and

Re: [PHP-DB] Slashes

2003-12-10 Thread John W. Holmes
Ng Hwee Hwee wrote: just a quick question.. does it mean, i don't have to worry that my user may type any commands in my text field that may hurt my system since magic_quotes_gpc is on? Heh...of course not. :) All magic_quotes is going to do for you is escape quotes within your text. This will

Re: [PHP-DB] Slashes

2003-12-09 Thread John W. Holmes
Ng Hwee Hwee wrote: but why is it that I still get a backslash before an occurrence of a single-quote? for example, td width=630 height=6? echo $fieldName; ?/td where $fieldName is retrieved from the database through: Maybe magic_quotes_runtime is enabled? It will add slashes to data from

Re: [PHP-DB] Slashes

2003-12-09 Thread Ng Hwee Hwee
Hi John, thanx!... HH but why is it that I still get a backslash HH before an occurrence of a single-quote? HH for example, HH td width=630 height=6? echo $fieldName; ?/td HH where $fieldName is retrieved from the database through: JH Maybe magic_quotes_runtime is enabled? It will add

Re: [PHP-DB] Slashes

2003-12-09 Thread John W. Holmes
Ng Hwee Hwee wrote: $value = trim(EscapeShellCmd($fieldName)); and then i do a $query= insert into table set name='$value'; i swear i did not add any slashes twice (at least for what i know!!).. is there another way that i could have addslashes twice without my knowing?? Heh... look at the

Re: [PHP-DB] Slashes

2003-12-09 Thread Ng Hwee Hwee
type any commands in my text field that may hurt my system since magic_quotes_gpc is on? - Original Message - From: John W. Holmes [EMAIL PROTECTED] To: Ng Hwee Hwee [EMAIL PROTECTED] Cc: DBList [EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 12:05 PM Subject: Re: [PHP-DB] Slashes