[PHP] Escaping MySQL passwords necessary when md5 is used?
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query=SELECT id FROM table WHERE password='{$password}';
Now I'm a bit queasy about not using mysql_real_escape_string() on
that $password variable! Please reassure me or tell me the folly of my
ways. Thanks!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 13:53, Dotan Cohen dotanco...@gmail.com wrote:
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query=SELECT id FROM table WHERE password='{$password}';
Now I'm a bit queasy about not using mysql_real_escape_string() on
that $password variable! Please reassure me or tell me the folly of my
ways. Thanks!
It never hurts to be overly cautious, but as MD5 hashes are
strictly alphanumeric (using hex characters), you won't have an issue
with injection with the code above. That is, of course, unless your
version of PHP is rebuilt without MD5 hash support, or some other
oddity that is on the outside edge of possibility.
--
/Daniel P. Brown
Network Infrastructure Manager
http://www.php.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
If you're converting the input data in a md5 hash has no reason to scape it.
Regards,
Igor Escobar
*Software Engineer
*
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar http://www.twitter.com/igorescobar
On Wed, Sep 21, 2011 at 2:53 PM, Dotan Cohen dotanco...@gmail.com wrote:
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query=SELECT id FROM table WHERE password='{$password}';
Now I'm a bit queasy about not using mysql_real_escape_string() on
that $password variable! Please reassure me or tell me the folly of my
ways. Thanks!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 21:03, Daniel Brown danbr...@php.net wrote: It never hurts to be overly cautious, but as MD5 hashes are strictly alphanumeric (using hex characters), you won't have an issue with injection with the code above. That is, of course, unless your version of PHP is rebuilt without MD5 hash support, or some other oddity that is on the outside edge of possibility. The rebuild without md5 is an interesting point. That sounds exactly like the type of it-will-never-happen-until-it-happens-to-me problems! Thanks for the heads up. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
Thanks Igor. I will sleep peacefully this night! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 15:32, Dotan Cohen dotanco...@gmail.com wrote: The rebuild without md5 is an interesting point. That sounds exactly like the type of it-will-never-happen-until-it-happens-to-me problems! Thanks for the heads up. I should've specified, though, that then you would simply have the fatal error message (call to undefined function) pass through, not the unhashed original text. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 22:36, Daniel Brown danbr...@php.net wrote: I should've specified, though, that then you would simply have the fatal error message (call to undefined function) pass through, not the unhashed original text. Yes, that is obvious. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping '
I did a fresh install of PHP on a new server. I had gotten used to PHP automatically adding a backslash before single quotes when form data is submitted. It seems that is shut off in my new install. How do I turn it back on? Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping '
On Fri, Jul 22, 2011 at 11:48, Floyd Resler fres...@adex-intl.com wrote: I did a fresh install of PHP on a new server. I had gotten used to PHP automatically adding a backslash before single quotes when form data is submitted. It seems that is shut off in my new install. How do I turn it back on? That's magic quotes, and it's been deprecated for quite some time, and slated for complete removal. While you shouldn't rely on it, if you absolutely need to, just re-enable it in php.ini, .htaccess, or in your code. See more: http://php.net/manual/en/security.magicquotes.php -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping '
On 22 July 2011 16:54, Daniel Brown danbr...@php.net wrote: On Fri, Jul 22, 2011 at 11:48, Floyd Resler fres...@adex-intl.com wrote: I did a fresh install of PHP on a new server. I had gotten used to PHP automatically adding a backslash before single quotes when form data is submitted. It seems that is shut off in my new install. How do I turn it back on? That's magic quotes, and it's been deprecated for quite some time, and slated for complete removal. While you shouldn't rely on it, if you absolutely need to, just re-enable it in php.ini, .htaccess, or in your code. See more: http://php.net/manual/en/security.magicquotes.php -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Unless you are using a self-built V5.4.0 from today onwards. Magic Quotes was finally removed completely and will give you an E_CORE_ERROR if you attempt to enable it. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping '
On Jul 22, 2011, at 11:54 AM, Daniel Brown wrote: On Fri, Jul 22, 2011 at 11:48, Floyd Resler fres...@adex-intl.com wrote: I did a fresh install of PHP on a new server. I had gotten used to PHP automatically adding a backslash before single quotes when form data is submitted. It seems that is shut off in my new install. How do I turn it back on? That's magic quotes, and it's been deprecated for quite some time, and slated for complete removal. While you shouldn't rely on it, if you absolutely need to, just re-enable it in php.ini, .htaccess, or in your code. See more: http://php.net/manual/en/security.magicquotes.php I had forgotten what it was called. While I don't like having to rely on it, I'm dealing with some really old code that does rely on it. Some day I'll get around to rewriting that old stuff! Thanks for reminding me what it was called! Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping '
On Jul 22, 2011, at 12:08 PM, Richard Quadling wrote: On 22 July 2011 16:54, Daniel Brown danbr...@php.net wrote: On Fri, Jul 22, 2011 at 11:48, Floyd Resler fres...@adex-intl.com wrote: I did a fresh install of PHP on a new server. I had gotten used to PHP automatically adding a backslash before single quotes when form data is submitted. It seems that is shut off in my new install. How do I turn it back on? That's magic quotes, and it's been deprecated for quite some time, and slated for complete removal. While you shouldn't rely on it, if you absolutely need to, just re-enable it in php.ini, .htaccess, or in your code. See more: http://php.net/manual/en/security.magicquotes.php -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Unless you are using a self-built V5.4.0 from today onwards. Magic Quotes was finally removed completely and will give you an E_CORE_ERROR if you attempt to enable it. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea Guess I won't be upgrading until I can do some code rewriting. Take care, Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - PHP escaping trigger happy
IIRC. That's covered under magic quotes . You should be able to turn that off via a config switch in php.ini or .htaccess. -Original Message- From: Govinda [EMAIL PROTECTED] Date: Mon, 1 Sep 2008 20:21:10 To: PHP-General Listphp-general@lists.php.net Subject: [PHP] newbie - PHP escaping trigger happy Just a quick Q, which I know has to be in the docs somewhere, but I haven't come across it yet- PHP automatically escaping single and double quotes... how to turn it off? I.e.- in a form text input, someone inputs love's influence grows and on the posted page I get: love\'s \influence\ WHen I wrap that with htmlspecialchars , then I get: love\#039;s \quot;influence\quot; lt;growsgt; What I want is: love#039;s quot;influencequot; lt;growsgt; in this case anyway. Probably if I understood why PHP was escaping the quotes, then I likely would want that behavior in those circumstances it was designed for... but not now, and I don't know how to turn it off. Thanks, -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - PHP escaping trigger happy
You guys got me on the right track, but: On my Mac OS10.5.4/Apache2/webmin local (dev) setup (of which I know very little) I managed to find php.ini.default, make a copy while renaming to php.ini, open the copy (php.ini), and change that on to an off (the only one of the 3 that was on). So now in that file, here is what I have: ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off I go into webmin -- PHP and 'hand-edit' the PHP config file to convince myself that what I did should be recognized by Apache/PHP, and the textarea contents match. So, WHY is php still escaping my quotes? -Govinda On Sep 2, 2008, at 10:36 AM, [EMAIL PROTECTED] wrote: IIRC. That's covered under magic quotes . You should be able to turn that off via a config switch in php.ini or .htaccess. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - PHP escaping trigger happy
1) did you restart the server to take advantage of the new settings? 2) are you sure you're running the php.ini at all? (run phpinfo() from a page to make sure that the server has read the right copy of php.ini) On Tue, Sep 2, 2008 at 4:12 PM, Govinda [EMAIL PROTECTED] wrote: You guys got me on the right track, but: On my Mac OS10.5.4/Apache2/webmin local (dev) setup (of which I know very little) I managed to find php.ini.default, make a copy while renaming to php.ini, open the copy (php.ini), and change that on to an off (the only one of the 3 that was on). So now in that file, here is what I have: ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off I go into webmin -- PHP and 'hand-edit' the PHP config file to convince myself that what I did should be recognized by Apache/PHP, and the textarea contents match. So, WHY is php still escaping my quotes? -Govinda On Sep 2, 2008, at 10:36 AM, [EMAIL PROTECTED] wrote: IIRC. That's covered under magic quotes . You should be able to turn that off via a config switch in php.ini or .htaccess. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - PHP escaping trigger happy
On Sep 2, 2008, at 6:02 PM, Seung Park wrote: 1) did you restart the server to take advantage of the new settings? no. That was it. Solved. Sorry for what turned out to be OT. When we're that green, we don't know OT from T. 2) are you sure you're running the php.ini at all? (run phpinfo() from a page to make sure that the server has read the right copy of php.ini) Um.. no I wasn't. Now I can check that all by myself too. Thanks! ;-) -G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] newbie - PHP escaping trigger happy
Just a quick Q, which I know has to be in the docs somewhere, but I haven't come across it yet- PHP automatically escaping single and double quotes... how to turn it off? I.e.- in a form text input, someone inputs love's influence grows and on the posted page I get: love\'s \influence\ WHen I wrap that with htmlspecialchars , then I get: love\#039;s \quot;influence\quot; lt;growsgt; What I want is: love#039;s quot;influencequot; lt;growsgt; ...in this case anyway. Probably if I understood why PHP was escaping the quotes, then I likely would want that behavior in those circumstances it was designed for... but not now, and I don't know how to turn it off. Thanks, -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie - PHP escaping trigger happy
On Mon, Sep 1, 2008 at 10:21 PM, Govinda [EMAIL PROTECTED] wrote: Just a quick Q, which I know has to be in the docs somewhere, but I haven't come across it yet- PHP automatically escaping single and double quotes... how to turn it off? I.e.- in a form text input, someone inputs love's influence grows and on the posted page I get: love\'s \influence\ WHen I wrap that with htmlspecialchars , then I get: love\#039;s \quot;influence\quot; lt;growsgt; What I want is: love#039;s quot;influencequot; lt;growsgt; ...in this case anyway. Probably if I understood why PHP was escaping the quotes, then I likely would want that behavior in those circumstances it was designed for... but not now, and I don't know how to turn it off. Thanks, -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://us.php.net/magicquotes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping JavaScript strings
Hello,
I'm adding functionality to allow a user to copy data on a page to the
clipboard using JS. This can be done simply with:
window.clipboardData.setData('Text','String to copy to clipboard');
The string from PHP needs to contain line breaks when copied into the
clipboard. This works when I use \n, e.g. 'This string\nspans
multiple\nlines' but how do I escape this string when outputting it from
PHP?
addslashes() seems the obvious choice, but as it escapes backslashes, the \n
chars end up in the clipboard!
Using hard new lines in the argument passed to the JS function doesn't work
as this causes JS errors:
DOESN'T WORK:
script type=text/javascript
var sCopy = 'String to copy
to clipboard';
/script
input type=button value=COPY
onclick=window.clipboardData.setData('Text',sCopy); /
Any ideas?
Thanks,
Edward
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping JavaScript strings
...
This is a PHP function that escapes strings so you can output them as a
JS string. IIRC it assumes you're using single quotes to enclose your
strings.
/**
* Function to appropriately escape a string so it can be output
* into javascript code.
*
* @param string $string Input string to escape
* @return string Escaped string
*/
function escapeString($string)
{
$js_escape = array(\r = '\r',
\n = '\n',
\t = '\t',
' = \\',
'\\' = '');
return strtr($string, $js_escape);
}
--
Richard Heyes
In Cambridge? Employ me
http://www.phpguru.org/cv
++
| Access SSH with a Windows mapped drive |
|http://www.phpguru.org/sftpdrive|
++
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping JavaScript strings
This is a PHP function that escapes strings so you can output them as a
JS string. IIRC it assumes you're using single quotes to enclose your
strings.
/**
* Function to appropriately escape a string so it can be output
* into javascript code.
*
* @param string $string Input string to escape
* @return string Escaped string
*/
function escapeString($string)
{
$js_escape = array(\r = '\r',
\n = '\n',
\t = '\t',
' = \\',
'\\' = '');
return strtr($string, $js_escape);
}
Just what was needed - thanks Richard.
Edward
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping quotes for DB Entry
All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... What about your firebird suggestion, does this work well with Oracle connections and queries? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: ... this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. consider this a reminder to myself to RTFM. ;-) ... Is there a better/more secure wahy? ... Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... indeed - probably work the time to write some kind of generic routine to do the binding based on field datatypes etc - then again that probably will cost you performance... you know the saying you can't have your cake and eat it What about your firebird suggestion, does this work well with Oracle connections and queries? no my firebird suggestion only works at all when connecting to firebird databases. :-) but when you do connect to a firebird db it works very well indeed ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes for DB Entry
From: Brad Bonkoski [mailto:[EMAIL PROTECTED]
Sent: Fri 26/05/2006 15:41
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have a
*real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
Well, since Oracle escapes single-quotes with another single quote, on the few
occasions when I actually have to escape I generally just run:
$safe_str = str_replace(', '', $str);
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
RE: [PHP] Escaping quotes for DB Entry
From: Jochem Maas [mailto:[EMAIL PROTECTED] Sent: Fri 26/05/2006 15:54 Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php Whoa, that is wy out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name(). if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible!). - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
[PHP] Escaping double quotes
So I'm writing this page (PHP Newbie here) and it checks to see if a var is set, if it isn't it spits out the form info like so: echo form action=myform.php method=post; Now is there a way to 'wrap' that so I don't have to escape quotes? Something like perls 'qq' function is what I'm looking for. I tried a few different functions from the website, magic_quotes, addslashes, htmlspecial etc etc but none did what I was looking for Jeremy Pavleck Network Engineer - Systems Management IT Networks and Infrastructure Direct Line: 612-977-5881 Toll Free: 1-888-CAPELLA ext. 5881 Fax: 612-977-5053 E-mail: [EMAIL PROTECTED] Capella University 225 South 6th Street, 9th Floor Minneapolis, MN 55402 www.capella.edu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping double quotes
On 25/05/06, Pavleck, Jeremy D. [EMAIL PROTECTED] wrote:
So I'm writing this page (PHP Newbie here) and it checks to see if a var
is set, if it isn't it spits out the form info like so: echo form
action=myform.php method=post;
Now is there a way to 'wrap' that so I don't have to escape quotes?
Something like perls 'qq' function is what I'm looking for.
I tried a few different functions from the website, magic_quotes,
addslashes, htmlspecial etc etc but none did what I was looking for
You know you can switch the php parser on and off like so:
?php if (isset($var)) { ?
form action=myform.php method=post
?php } ?
which is a bit more efficient and better than all those echo statements and
escapes?
--
http://www.web-buddha.co.uk
dynamic web programming from Reigate, Surrey UK (php, mysql, xhtml, css)
look out for project karma, our new venture, coming soon!
Re: [PHP] Escaping double quotes
So I'm writing this page (PHP Newbie here) and it checks to see if a var is set, if it isn't it spits out the form info like so: echo form action=myform.php method=post; Now is there a way to 'wrap' that so I don't have to escape quotes? Something like perls 'qq' function is what I'm looking for. I tried a few different functions from the website, magic_quotes, addslashes, htmlspecial etc etc but none did what I was looking for Jeremy Pavleck Network Engineer - Systems Management IT Networks and Infrastructure Direct Line: 612-977-5881 Toll Free: 1-888-CAPELLA ext. 5881 Fax: 612-977-5053 E-mail: [EMAIL PROTECTED] Capella University 225 South 6th Street, 9th Floor Minneapolis, MN 55402 www.capella.edu I believe you can just use single qiote for this example of yours. echo 'form action=myform.php method=post'; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping double quotes
Pavleck, Jeremy D. wrote: So I'm writing this page (PHP Newbie here) and it checks to see if a var is set, if it isn't it spits out the form info like so: echo form action=myform.php method=post; Now is there a way to 'wrap' that so I don't have to escape quotes? Something like perls 'qq' function is what I'm looking for. I tried a few different functions from the website, magic_quotes, addslashes, htmlspecial etc etc but none did what I was looking for http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping double quotes
or heredeoc syntax :) On 5/25/06, John Nichel [EMAIL PROTECTED] wrote: Pavleck, Jeremy D. wrote: So I'm writing this page (PHP Newbie here) and it checks to see if a var is set, if it isn't it spits out the form info like so: echo form action=myform.php method=post; Now is there a way to 'wrap' that so I don't have to escape quotes? Something like perls 'qq' function is what I'm looking for. I tried a few different functions from the website, magic_quotes, addslashes, htmlspecial etc etc but none did what I was looking for http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Mindaugas
Re: [PHP] Escaping double quotes
Not sure I understand your question correctly. I think you can just use soemthing like: echo 'form action=myform.php method=post'; Mindaugas L wrote: or heredeoc syntax :) On 5/25/06, John Nichel [EMAIL PROTECTED] wrote: Pavleck, Jeremy D. wrote: So I'm writing this page (PHP Newbie here) and it checks to see if a var is set, if it isn't it spits out the form info like so: echo form action=myform.php method=post; Now is there a way to 'wrap' that so I don't have to escape quotes? Something like perls 'qq' function is what I'm looking for. I tried a few different functions from the website, magic_quotes, addslashes, htmlspecial etc etc but none did what I was looking for http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping
Hi,
I want this code to display peoples' names within an hyperlink.
I'm tired of trying different ways, read all about it in PHP's manual,
but i can't get it there.
You can visit http://www.dte.ua.pt/cv
In the rightmost column it is suposed to apear two name below Links,
but... it doen't, becuase i can't straight the escaping :(
Any help would be apreciated.
The code follows my signature.
Warm Regards,
Mário Gamito
--
// select names to display in the right column
$recordSet = $conn-Execute('SELECT name FROM users');
while (!$recordSet-EOF) {
print ('a href=\'http://www.dte.ua.pt/cv/email=?' .
$recordSet-fields[0] . '\'' . 'br /');
$recordSet-MoveNext();
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping using htmlentities
Hi. htmlentities has worked pretty well so far for me...except when it comes across something like ñw or ñ0w in an RSS feed (v2) It tries to convert the ntilde - and it does, but because the ñ doesn't have a space next to the w or the 0w, it breaks the XML and it comes out as ntilde;0w which, I think, is bad XML I thought ampersands were my biggest worry, but this has got me really stumped! I'm not even sure if I'm *right* in thinking the problem is the lack of spaces between the special characters. Can anyone shed any light on this? Thanks -- Will The Corridor of Uncertainty http://www.cricket.mailliw.com/ - Sanity is a madness put to good use - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes
Hi Guys Really simple question. How do I change the following: print(value=' . $attributes[messageSubject] . '); to have double quotes around the subject field instead. i.e.: print(value= . $attributes[messageSubject] . ); thanks Giles Roadnight http://giles.roadnight.name -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:[PHP] escaping quotes
Hi, Try this print(value=\ . $attributes[messageSubject] . \); Binoy __ __ __ __ Sent via the WebMail system at softwareassociates.co.uk --- Scanned by MessageExchange.net (12:54:20 SPITFIRE) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [ParrotHeadPoster] - Re: [PHP] escaping quotes
I had a parrot idea whilst writing this.. (see bottom)
Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
you have to escape the doublequotes in question - this is done with
a backslash:
print(value=\ . $attributes[messageSubject] . \);
or like this if you find it more readable (avoids the backslashes):
printf('value=%s', $attributes[messageSubject]);
actually you can do loads of funky things with printf() and its brother
sprintf() etc - check out the manual for all the formating codes (e.g. '%s')
that are available
lastly, learn what string interpolation is and why it is technically
neater to only use doublequotes to delimit your php strings when you
want/require string interpolation to happen.
---
ParrotTalk: I think that this topic of string interpolation/quotes
deserves 'parrot' attention which made me think that maybe the parrot
could parse for markers (that if added to an email by an autorized poster)
would mark the post/thread as suitable material for 'training' the 'parrot'
thanks
Giles Roadnight
http://giles.roadnight.name
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
On 27 January 2005 12:14, Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
print('value=' . $attributes[messageSubject] . '');
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
Simple:
Print (value=\{$attributes['messageSubject']}\);
HTH,
Mikey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes
Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
print(value=\ . $attributes[messageSubject] . \);
print(value=\{$attributes['messageSubject']}\);
Although, to prevent any vulnerabilities, you probably want:
print(value=\ . htmlentities($attributes[messageSubject]) . \);
if you're not already doing so at some point.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [ParrotHeadPoster] - Re: [PHP] escaping quotes
Jochem Maas wrote: I had a parrot idea whilst writing this.. (see bottom) ... --- ParrotTalk: I think that this topic of string interpolation/quotes deserves 'parrot' attention which made me think that maybe the parrot could parse for markers (that if added to an email by an autorized poster) would mark the post/thread as suitable material for 'training' the 'parrot' Actually that is a pretty good way to handle it... regardless of whether we use the Bayesian/SPAM or Heuristic approach. It wouldn't require anyone to go to any website, just reply to a message like normal and tag it. phParrot / And then, if the parrot didn't already respond to the original message... well, then it could be trained / told to respond directly to that message. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes
John Holmes wrote: print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
Thanks, that works great. Knew that worked for JavaScript but didn't know it worked for PHP. Giles Roadnight http://giles.roadnight.name -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: 27 January 2005 17:07 To: John Holmes Cc: Giles; php-general@lists.php.net Subject: Re: [PHP] escaping quotes John Holmes wrote: print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
What also works is this: print 'value='. $foo['bar'] . ''; Read the manual section on strings: http://php.net/types.string Regards, Philip On Thu, 27 Jan 2005, Giles wrote: Thanks, that works great. Knew that worked for JavaScript but didn't know it worked for PHP. print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping Regex Chars with addcslashes()
Hi all, If i want to find a url on a page, there are some chars i need to escape right? like '/' and '?' do i also need to escape '.'? Are there any other things that might pop up in a url that I can escape with addcslashes()? Much thanks -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Regex Chars with addcslashes()
Nick Wilson wrote: Hi all, If i want to find a url on a page, there are some chars i need to escape right? like '/' and '?' do i also need to escape '.'? Are there any other things that might pop up in a url that I can escape with addcslashes()? Much thanks Don't use posix regexp, but use perl compatible instead. It has preg_quote() function that is intended for this purpose. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Regex Chars with addcslashes()
* and then Marek Kilimajer declared If i want to find a url on a page, there are some chars i need to escape right? like '/' and '?' do i also need to escape '.'? Are there any other things that might pop up in a url that I can escape with addcslashes()? Don't use posix regexp, but use perl compatible instead. It has preg_quote() function that is intended for this purpose. I'll go look it up, thanks Marek ;-) -- Nick W -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes [solution]
[snip]
2) By not escaping quotes in the data
...
You can do it this way but you must make sure that any strings in your
values array have been escaped before with
[/snip]
There is no quotes in the data. The data coming in is a $_POST array.
$dbmssql-dbinsert($_POST, $table);
However this did make me pull my head out of my...
[snip]
using str_replace(', '',$str) should work.
[/snip]
Justin's first post on PEAR::DB pointed me in the right direction. The
initial method that parses out the $_POST is where I needed to add the
quotes around the values.
I sure will be glad when I don't make these kinds of simple mistakes
anymore.
Thanks guys...
alex hogan
*
The contents of this e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom it is addressed. The
views stated herein do not necessarily represent the view of the company. If you are
not the intended recipient of this e-mail you may not copy, forward, disclose, or
otherwise use it or any part of it in any form whatsoever. If you have received this
e-mail in error please e-mail the sender.
*
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping quotes
Hi All, I have this expression; $query = INSERT INTO $table (%s) VALUES (%s); $query = sprintf($query, implode(,, $fld), implode(,, $val)); $result = mssql_query($query) or die($errmsg); I am trying to insert values from an array into the database. I keep getting the error that I can't pass column names in this context. I know it's because I'm not enclosing $val in quotes. I've tried a number of variations; implode(\,\, $val) implode(\',\', $val) implode(,, \.$val.\) - This blows up nicely ;-) Where am I going wrong on this? alex hogan * The contents of this e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom it is addressed. The views stated herein do not necessarily represent the view of the company. If you are not the intended recipient of this e-mail you may not copy, forward, disclose, or otherwise use it or any part of it in any form whatsoever. If you have received this e-mail in error please e-mail the sender. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
On Wed, 11 Aug 2004 19:03:32 -0500, Alex Hogan
[EMAIL PROTECTED] wrote:
Hi All,
I have this expression;
$query = INSERT INTO $table (%s) VALUES (%s);
$query = sprintf($query, implode(,, $fld), implode(,,
$val));
$result = mssql_query($query) or die($errmsg);
I am trying to insert values from an array into the database.
I keep getting the error that I can't pass column names in this context.
I know it's because I'm not enclosing $val in quotes.
I've tried a number of variations;
implode(\,\, $val)
implode(\',\', $val)
implode(,, \.$val.\) - This blows up nicely ;-)
Where am I going wrong on this?
1) By using implode to do this
2) By not escaping quotes in the data
If you look in the PEAR::DB code, here's how they quote field names:
function quoteIdentifier($str)
{
return '[' . str_replace(']', ']]', $str) . ']';
}
and here's how they quote values:
function quoteSmart($in)
{
if (is_int($in) || is_double($in)) {
return $in;
} elseif (is_bool($in)) {
return $in ? 1 : 0;
} elseif (is_null($in)) {
return 'NULL';
} else {
return ' . str_replace(', '', $in) . ';
}
}
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
Hi,
Thursday, August 12, 2004, 10:03:32 AM, you wrote:
AH Hi All,
AH I have this expression;
AH $query = INSERT INTO $table (%s) VALUES (%s);
AH $query = sprintf($query, implode(,, $fld), implode(,,
AH $val));
AH $result = mssql_query($query) or die($errmsg);
AH I am trying to insert values from an array into the database.
AH I keep getting the error that I can't pass column names in this context.
AH I know it's because I'm not enclosing $val in quotes.
AH I've tried a number of variations;
AH implode(\,\, $val)
AH implode(\',\', $val)
AH implode(,, \.$val.\) - This blows up nicely ;-)
AH Where am I going wrong on this?
AH alex hogan
You can do it this way but you must make sure that any strings in your
values array have been escaped before with mysql_escape_string() and
probably trimmed as well.
$fields = array('id','name','age');
$values = array(1,'Dave',40);
$table = 'test';
$sql = sprintf(INSERT INTO %s (%s) VALUES
('%s'),$table,implode(',',$fields),implode(',',$values));
echo $sql;
(It's perfectly ok to quote numbers)
--
regards,
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
On Thu, 12 Aug 2004 12:34:30 +1000, Tom Rogers [EMAIL PROTECTED] wrote:
Hi,
Thursday, August 12, 2004, 10:03:32 AM, you wrote:
AH Hi All,
AH I have this expression;
AH $query = INSERT INTO $table (%s) VALUES (%s);
AH $query = sprintf($query, implode(,, $fld), implode(,,
AH $val));
AH $result = mssql_query($query) or die($errmsg);
AH I am trying to insert values from an array into the database.
AH I keep getting the error that I can't pass column names in this context.
AH I know it's because I'm not enclosing $val in quotes.
AH I've tried a number of variations;
AH implode(\,\, $val)
AH implode(\',\', $val)
AH implode(,, \.$val.\) - This blows up nicely ;-)
AH Where am I going wrong on this?
AH alex hogan
You can do it this way but you must make sure that any strings in your
values array have been escaped before with mysql_escape_string() and
probably trimmed as well.
The question was about mssql, not mysql. using str_replace(', '',
$str) should work.
$fields = array('id','name','age');
$values = array(1,'Dave',40);
$table = 'test';
$sql = sprintf(INSERT INTO %s (%s) VALUES
('%s'),$table,implode(',',$fields),implode(',',$values));
echo $sql;
(It's perfectly ok to quote numbers)
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping php content output for valid html
Hi there, I am just validating html generated by a php page. There is an error which comes up if ther is a dash in the content text. Those characters come out of a database. Is there a command in php which is escaping those characters for valid html output? Something like urlencode, but for text escaping all such signs? Here is the error msg: non SGML character number 150 This is the text: normal text Thanx in advance, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping php content output for valid html
On Apr 16, 2004, at 3:40 AM, Merlin wrote: Hi there, I am just validating html generated by a php page. There is an error which comes up if ther is a dash in the content text. Those characters come out of a database. Is there a command in php which is escaping those characters for valid html output? Something like urlencode, but for text escaping all such signs? Here is the error msg: non SGML character number 150 This is the text: normal text If the text is coming from a database, how did the invalid character get into the text in the first place? It sounds like the problem is with the original HTML editor, not with PHP. For example, the current version of Adobe GoLive still uses the invalid code #150; for an en dash (the valid code is #8211;). A good reference chart for correct character entities is here -- http://www.roselli.org/adrian/articles/character_charts.asp. You could set up str_replace() translations to correct invalid character entity codes before displaying. -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping php content output for valid html
Lowell Allen wrote: On Apr 16, 2004, at 3:40 AM, Merlin wrote: Hi there, I am just validating html generated by a php page. There is an error which comes up if ther is a dash in the content text. Those characters come out of a database. Is there a command in php which is escaping those characters for valid html output? Something like urlencode, but for text escaping all such signs? Here is the error msg: non SGML character number 150 This is the text: normal text If the text is coming from a database, how did the invalid character get into the text in the first place? It sounds like the problem is with the original HTML editor, not with PHP. For example, the current version of Adobe GoLive still uses the invalid code #150; for an en dash (the valid code is #8211;). A good reference chart for correct character entities is here -- http://www.roselli.org/adrian/articles/character_charts.asp. You could set up str_replace() translations to correct invalid character entity codes before displaying. -- Lowell Allen hmm so you would suggest to save the entitty code directly to the database in the first place? What happens if I want to use the text for something else, lets say print outs, or the entity code changes over the years, respectively the browsers comming up with new technologies and dropping the old standards? Another thing I do not understand concerning php, if this is that important, why is there not a function who does this? something like ent_replace()? Do I have to write a str_replace statement for all the entity characters? If yes, does anybody already have such a code line? It sounds to me that this is like inventing the wheel over and over again? regards, Merlin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping php content output for valid html
On Friday 16 April 2004 20:19, Merlin wrote: hmm so you would suggest to save the entitty code directly to the database in the first place? If the data is mainly displayed as HTML then yes, store the HTML entities and do a conversion when you want plain text or whatever. What happens if I want to use the text for something else, lets say print outs, or the entity code changes over the years, respectively the browsers comming up with new technologies and dropping the old standards? Do a conversion. Another thing I do not understand concerning php, if this is that important, why is there not a function who does this? something like ent_replace()? Do I have to write a str_replace statement for all the entity characters? If yes, does anybody already have such a code line? It sounds to me that this is like inventing the wheel over and over again? Well if PHP had a function for everything that could be done in a line or two of code then it would have more functions than I could count on my fingers and toes. This might help, get_html_translation_table(). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Words have a longer life than deeds. -- Pindar */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping ' when inside a
* Thus wrote Marek Kilimajer ([EMAIL PROTECTED]):
Adam Williams wrote:
If I have the SQL statement:
$sql = select subject from subwhile where subject = '*$var[0]*';
Don't you want to do:
$sql = select subject from subwhile where subject LIKE '%$var[0]%';
I think more precisely:
$sql = select subject from subwhile where subject LIKE '%{$var[0]}%';
Curt
--
My PHP key is worn out
PHP List stats since 1997:
http://zirzow.dyndns.org/html/mlists/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping ' when inside a
Curt Zirzow wrote:
Don't you want to do:
$sql = select subject from subwhile where subject LIKE '%$var[0]%';
I think more precisely:
$sql = select subject from subwhile where subject LIKE '%{$var[0]}%';
Either will work, as will
$sql = ... subject LIKE '%$var[string_index]%';
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping ' when inside a
If I have the SQL statement: $sql = select subject from subwhile where subject = '*$var[0]*'; do I need to put a \ before each '? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping ' when inside a
Adam -- ...and then Adam Williams said... % % If I have the SQL statement: % % $sql = select subject from subwhile where subject = '*$var[0]*'; % % do I need to put a \ before each '? 1) You should have just tried it. 2) No. You owe the Newbie Guide a paragraph on quoting and escaping. HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, Science and Health http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] escaping ' when inside a
Adam Williams wrote: If I have the SQL statement: $sql = select subject from subwhile where subject = '*$var[0]*'; Don't you want to do: $sql = select subject from subwhile where subject LIKE '%$var[0]%'; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping ' when inside a
[snip] If I have the SQL statement: $sql = select subject from subwhile where subject = '*$var[0]*'; Don't you want to do: $sql = select subject from subwhile where subject LIKE '%$var[0]%'; [/snip] Not if the variable is exactly what he is looking for. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping ' when inside a
Yeah thats what I meant to do, my PHP is very rusty if you can't tell (and so is my SQL) :) Jay Blanchard wrote: [snip] If I have the SQL statement: $sql = select subject from subwhile where subject = '*$var[0]*'; Don't you want to do: $sql = select subject from subwhile where subject LIKE '%$var[0]%'; [/snip] Not if the variable is exactly what he is looking for. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping the ' character
Dan Anderson mailto:[EMAIL PROTECTED] on Wednesday, September 10, 2003 5:17 PM said: If you don't like somebodys post just ignore it. I'd bet your 2 cents that you don't find every post to this list interesting. Do you reply to those people and ask them to not post stuff that doesn't interest you? Dan, You've completely misread and misinterpreted Robert's comments. He didn't say he didn't want to read posts he wasn't interested in and he didn't ask the poster to not post things he wasn't interested in reading. He DID however request that people not send html emails to the list. How the heck did you turn a request for no html emails into a request for people to not post things Robert is uninterested in?? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping the ' character
You've completely misread and misinterpreted Robert's comments. He didn't say he didn't want to read posts he wasn't interested in and he didn't ask the poster to not post things he wasn't interested in reading. He DID however request that people not send html emails to the list. Oh wait, he means HTML e-mails? I thought he meant posts regarding to HTML. Please disregard my previous posts. lower_flamethrower(); -Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping the ' character
*chuckle* this explains your responses to me. In this new light I apologize for my condescending responses. Cheers, Rob. On Thu, 2003-09-11 at 20:17, Dan Anderson wrote: You've completely misread and misinterpreted Robert's comments. He didn't say he didn't want to read posts he wasn't interested in and he didn't ask the poster to not post things he wasn't interested in reading. He DID however request that people not send html emails to the list. Oh wait, he means HTML e-mails? I thought he meant posts regarding to HTML. Please disregard my previous posts. lower_flamethrower(); -Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .-. | Worlds of Carnage - http://www.wocmud.org | :-: | Come visit a world of myth and legend where | | fantastical creatures come to life and the | | stuff of nightmares grasp for your soul.| `-' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping the ' character
I need to print the following: moz-txt-link-freetext" href="">http://www.gilardi.com/pdf/gwyt1poc.pdf','','')" and I am not sure how to escape the " ' " characters. Actually, the 'http://www.gilardi.com/pdf/gwyt1poc.pdf' will be a variable, $url. Can someone point me toward some docs on this? Many thanks! Todd -- inline: NewLogo.gif
Re: [PHP] Escaping the ' character
I need to print the following:
onClick=MM_openBrWindow('http://www.gilardi.com/pdf/gwyt1poc.pdf','','')
and I am not sure how to escape the ' characters.
with a slash.
http://www.google.com/search?q=php+single+quote+escape+site%3Aphp.net
-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping the ' character
I believe the general posting guidelines discourage posting HTML to
mailing lists, and to be quite honest many of us pay for our bandwidth
and don't need your 8k image eating up resources.
2 cents,
Rob.
On Wed, 2003-09-10 at 13:27, Todd Cary wrote:
I need to print the following:
onClick=MM_openBrWindow('http://www.gilardi.com/pdf/gwyt1poc.pdf','','')
and I am not sure how to escape the ' characters.
Actually, the 'http://www.gilardi.com/pdf/gwyt1poc.pdf' will be a
variable, $url.
Can someone point me toward some docs on this?
Many thanks!
Todd
--
--
.-.
| Worlds of Carnage - http://www.wocmud.org |
:-:
| Come visit a world of myth and legend where |
| fantastical creatures come to life and the |
| stuff of nightmares grasp for your soul.|
`-'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping the ' character
Try this ?php$url="";echo "a href=# asd/a";? HTH -Murugesan - Original Message - From: Todd Cary To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 10:57 PM Subject: [PHP] Escaping the " ' " character I need to print the following:http://www.gilardi.com/pdf/gwyt1poc.pdf">http://www.gilardi.com/pdf/gwyt1poc.pdf','','')"and I am not sure how to escape the " ' " characters.Actually, the 'http://www.gilardi.com/pdf/gwyt1poc.pdf' will be a variable, $url.Can someone point me toward some docs on this?Many thanks!Todd --
Re: [PHP] Escaping the ' character
I believe the general posting guidelines discourage posting HTML to mailing lists, and to be quite honest many of us pay for our bandwidth and don't need your 8k image eating up resources. If you don't like somebodys post just ignore it. I'd bet your 2 cents that you don't find every post to this list interesting. Do you reply to those people and ask them to not post stuff that doesn't interest you? IMHO if people have questions about non PHP stuff that is related (like HTML or javascript) I think they should feel free to post to the listserv. I've done it (sometimes google is no help) and it's helped me out big time, and I have no problems helping people out who do it. It's like, scratch my back and I'll scratch yours. That's why I post on this listserv. It helps me and I help others on it. And that's the way it should be. -Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping the ' character
Funny, I could swear I made a comment about bandwidth not topic. You should go read my original message, then read the guidelines, then wonder to yourself if you are all alone in this world -- if you by chance find that you're not in your own little world, perhaps you see why guidelines posted for everyone, aren't about you or me in particular. Cheers, Rob. On Wed, 2003-09-10 at 20:17, Dan Anderson wrote: I believe the general posting guidelines discourage posting HTML to mailing lists, and to be quite honest many of us pay for our bandwidth and don't need your 8k image eating up resources. If you don't like somebodys post just ignore it. I'd bet your 2 cents that you don't find every post to this list interesting. Do you reply to those people and ask them to not post stuff that doesn't interest you? IMHO if people have questions about non PHP stuff that is related (like HTML or javascript) I think they should feel free to post to the listserv. I've done it (sometimes google is no help) and it's helped me out big time, and I have no problems helping people out who do it. It's like, scratch my back and I'll scratch yours. That's why I post on this listserv. It helps me and I help others on it. And that's the way it should be. -Dan -- .-. | Worlds of Carnage - http://www.wocmud.org | :-: | Come visit a world of myth and legend where | | fantastical creatures come to life and the | | stuff of nightmares grasp for your soul.| `-' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping nasty quotes
I have this: $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY ' . '' . ' ; $result = MYSQL_QUERY($query); PRINT br$query2br; The query doesn't take ... but if I cut and paste the printed response into the mysql server manually ... works like a charm :-(
RE: [PHP] Escaping nasty quotes
[snip]
$query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable
FIELDS TERMINATED BY ',' ENCLOSED BY ' . '' . ' ;
{/snip]
try ...
$query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable
FIELDS TERMINATED BY ',' ENCLOSED BY '' ;
The period concats were not needed.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping nasty quotes
--- Roy W [EMAIL PROTECTED] wrote: The query doesn't take ... but if I cut and paste the printed response into the mysql server manually ... works like a charm http://www.php.net/addslashes Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
Sorry...Because of the double quote near the ENCLOSED BY .. It delivers a
PARSE ERROR
?
-Original Message-
From: Jay Blanchard [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 12:38 PM
To: Roy W; [EMAIL PROTECTED]
Subject: RE: [PHP] Escaping nasty quotes
[snip]
$query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS
TERMINATED BY ',' ENCLOSED BY ' . '' . ' ; {/snip]
try ...
$query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS
TERMINATED BY ',' ENCLOSED BY '' ;
The period concats were not needed.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
Thanks, Chris. But I kept what I had and then just added: $query = addslashes($query); Doesn't return an error.. But doesn't complete the task. :-( -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 12:39 PM To: Roy W; [EMAIL PROTECTED] Subject: Re: [PHP] Escaping nasty quotes --- Roy W [EMAIL PROTECTED] wrote: The query doesn't take ... but if I cut and paste the printed response into the mysql server manually ... works like a charm http://www.php.net/addslashes Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
[snip] Sorry...Because of the double quote near the ENCLOSED BY .. It delivers a PARSE ERROR $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY '' ; [/snip] Are the fields enclosed by a quote? If not... $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY '' ; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
Unfortunately, they are indeed enclosed by double quotes Roy -Original Message- From: Jay Blanchard [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 12:58 PM To: Roy W; [EMAIL PROTECTED] Subject: RE: [PHP] Escaping nasty quotes [snip] Sorry...Because of the double quote near the ENCLOSED BY .. It delivers a PARSE ERROR $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY '' ; [/snip] Are the fields enclosed by a quote? If not... $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY '' ; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
[snip] Unfortunately, they are indeed enclosed by double quotes [/snip] Can you show us a snippet of data.txt? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping nasty quotes
I have this: $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY ' . '' . ' ; $result = MYSQL_QUERY($query); PRINT br$query2br; The query doesn't take ... but if I cut and paste the printed response into the mysql server manually ... works like a charm What error do you get from mysql_error()? Are you uusing the same user in both shell and script? If not does the script user have the proper permissions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping nasty quotes
On Thu, 2003-07-31 at 14:31, Roy W wrote: I have this: $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY ' . '' . ' ; $result = MYSQL_QUERY($query); PRINT br$query2br; The query doesn't take ... but if I cut and paste the printed response into the mysql server manually ... works like a charm :-( Try this: $query = LOAD DATA LOCAL INFILE '/home/data.txt' INTO TABLE mytable FIELDS TERMINATED BY ',' ENCLOSED BY '\' ; It'll get rid of your parse error Matt signature.asc Description: This is a digitally signed message part
RE: [PHP] escaping quotes for redisplay
-Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: 18 February 2003 18:11 PS: I am using htmlentities() on the output before displaying it in the browser, but it doesn't apply to singlequotes. Ahem! I quote from http://www.php.net/manual/en/function.htmlentities.php: ... the optional second quote_style parameter lets you define what will be done with 'single' and double quotes. It takes on one of three constants with the default being ENT_COMPAT: Constant Name Description ENT_COMPAT Will convert double-quotes and leave single- quotes alone. ENT_QUOTES Will convert both double and single quotes. ENT_NOQUOTES Will leave both double and single quotes unconverted. So just use htmlentities($output, ENT_QUOTES). Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes for redisplay
Hi, I am running into a problem, that I'm certain I've had before but for some reason don't remember how to handle. If anyone can advise me on what to do here, that would be great. I have a PHP script that accepts some user input and validates it, and if the validation fails, it re-displays the form. In the form, the text fields' value attributes are set to the user's input so that the user doesn't have to fill everything out again. The whole system works great, and I'm sure you've all seen it a hundred times before. The problem happens when a user enters a single quote, such as in the string O'Reilly. Re-displaying this value in the value attribute of the form, like this: input type='text' name='publisher' value='O'Reilly' / is clearly invalid HTML, and it shows when the page is rendered in the user's browser (only the O gets through). If I turn on magic_quotes_gpc or use addslashes, the output is like so: input type='text' name='publisher' value='O\'Reilly' / And of course, when rendered, simply allows the O\ to get through. I can solve this problem by using double-quotes instead of single-quotes for my attributes, and that is probably what I'm going to have to do. However, this means I can't let users enter double quotes, or the same thing will happen. In other fields, double-quotes might be necessary. Is there any other solution? Thanks, Erik PS: I am using htmlentities() on the output before displaying it in the browser, but it doesn't apply to singlequotes. I suppose I could str_replace it, but I'm wondering how other people handle this situation -- Erik Price email: [EMAIL PROTECTED] jabber: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes for redisplay
On Tue, 18 Feb 2003 13:10:33 -0500, you wrote: input type='text' name='publisher' value='O'Reilly' / input type=text name=blah value=aaquot;aa -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping Chars
I need to get a password value from a form, store it in a database and then later be able to compare a login password to the one stored in the db. This works great unless the password contains the '\' char. magic_quotes_gpc is ON and magic_quotes_runtime is OFF. As a klude, I tried just removing slashes from the input password using stripslashes() before storing it in the db and then testing to see if stripslashes(val from db)=stripslashes(val from form) in the login test to see if they match. (the user shouldn't even know that slashes are being striped, so I have to strip them on each input). They still don't match if a slash is input for the original password storage, but I don't know why. However, instead of this work-around (that doesn't even work), what I'd really like to do is allow ANY character in the password, but take care of all the quoting and escaping along the way (both ways...). How is the best way to do that? Thanks, [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping Chars
I need to get a password value from a form, store it in a database and
then
later be able to compare a login password to the one stored in the db.
This works great unless the password contains the '\' char.
magic_quotes_gpc is ON and magic_quotes_runtime is OFF.
As a klude, I tried just removing slashes from the input password
using
stripslashes() before storing it in the db and then testing to see if
stripslashes(val from db)=stripslashes(val from form) in the login
test to
see if they match. (the user shouldn't even know that slashes are
being
striped, so I have to strip them on each input). They still don't
match
if
a slash is input for the original password storage, but I don't know
why.
Okay... you want the slash or escape character there when you insert
it into the database. But, since it's an escape character, it doesn't
actually go into the data of the database. If you put O'Kelly into your
form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that
into the database, it'll use the \ as an escape character and the data
in the database will actually be just O'Kelly. With magic_quotes_runtime
OFF, that's exactly what you'll draw out of the database, too. So, if
you want to compare a form submitted value to a value drawn out of the
database, you have to use stripslashes() on the form data first.
A better option overall is to just do it in your query.
SELECT * FROM table WHERE user = '{$_POST['user']} and password =
'{$_POST['password']}'
Where your form is method=POST... If a row is returned, the username and
password matched. If no row is returned, then one or both didn't match.
---John Holmes...
PS: Just noticed the .af.mil address. Do you do any PHP programming for
the AirForce or is this on your own?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping Chars
Thanks for the reply, but I still can't seem to make the connection...
If I enter the value
123\/'
in a web form and put the form post value directly into the db (no
stripslashes or any other function), the value as reported by the db at a
command line query is
123\/'
(it LOOKS like the same value that was entered), but to get it to return
that value, at the command prompt, I have to enter
select * from users where password = 123/\';.
OK, that makes sense. You have to 'slash' or escape every escape or
delimiter character. So, the value is apparently getting into the db
properly. Now, when I enter that same value (minus the outside quotes) into
the form field and then compare that with the value in the db, they don't
match.
I've tried add and strip slashes in various combinations, but that makes no
difference. I suspect there are some HTML entities or some other odd URL
encoding problem??? My app has a feature that will remind a user of their
password. This returns in an email exactly what I'd expect, that is,
123\/'
I can't see how to make the round trip from the original input into the db
and then back out again intact so it will 'match itself'...
That behavior doesn't seem to match the magic_quotes docs.
My current project is the first real app I have done for the Air Force in
PHP. Most of the PHP work I have done is for query only db interfaces,
counters, REMOTE_HOST tests for dynamic links or doing form-to-email type
stuff. Entering data INTO a db adds a whole new set of challenges.
I'd appreciate any other advice or clarification you could offer.
Thanks,
-Original Message-
From: John W. Holmes [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 07, 2003 4:25 PM
To: 'Rob Walls'; [EMAIL PROTECTED]
Subject: RE: [PHP] Escaping Chars
I need to get a password value from a form, store it in a database and
then
later be able to compare a login password to the one stored in the db.
This works great unless the password contains the '\' char.
magic_quotes_gpc is ON and magic_quotes_runtime is OFF.
As a klude, I tried just removing slashes from the input password
using
stripslashes() before storing it in the db and then testing to see if
stripslashes(val from db)=stripslashes(val from form) in the login
test to
see if they match. (the user shouldn't even know that slashes are
being
striped, so I have to strip them on each input). They still don't
match
if
a slash is input for the original password storage, but I don't know
why.
Okay... you want the slash or escape character there when you insert
it into the database. But, since it's an escape character, it doesn't
actually go into the data of the database. If you put O'Kelly into your
form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that
into the database, it'll use the \ as an escape character and the data
in the database will actually be just O'Kelly. With magic_quotes_runtime
OFF, that's exactly what you'll draw out of the database, too. So, if
you want to compare a form submitted value to a value drawn out of the
database, you have to use stripslashes() on the form data first.
A better option overall is to just do it in your query.
SELECT * FROM table WHERE user = '{$_POST['user']} and password =
'{$_POST['password']}'
Where your form is method=POST... If a row is returned, the username and
password matched. If no row is returned, then one or both didn't match.
---John Holmes...
PS: Just noticed the .af.mil address. Do you do any PHP programming for
the AirForce or is this on your own?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping Chars
Thanks for the reply, but I still can't seem to make the connection... If I enter the value 123\/' in a web form and put the form post value directly into the db (no stripslashes or any other function), the value as reported by the db at a command line query is 123\/' That's not right. If you insert, exactly, 123\/' into a database, the value in the table, as returned by a query from the command line, will be 123/' From the command line, to see what I mean, actually insert 123\/' into a table and then select * from that table... Somehow it is getting escaped twice. Can you show your code that processes all of this? I've got a secret security clearance, if that matters. ;) My current project is the first real app I have done for the Air Force in PHP. Most of the PHP work I have done is for query only db interfaces, counters, REMOTE_HOST tests for dynamic links or doing form-to-email type stuff. Entering data INTO a db adds a whole new set of challenges. It's great that they're actually using PHP. I had to do quite a bit of educating and convincing to get the Army to use PHP at my Post. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes in mail() message
I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! I've got magic_quotes on, but I think I'm keeping up with stripslashes because single quotes are showing up correctly. Can anyone please advise? -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in mail() message
I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! I've got magic_quotes on, but I think I'm keeping up with stripslashes because single quotes are showing up correctly. Can anyone please advise? You can't escape double quotes in HTML... it doesn't understand. So, you're ending up with a hidden element like this: input type=hidden name=whatever value=This message uses 'single' and \double\ qutoes. HTML will cut it off at the first because it doesn't recognize the escape character. The way around this is to use htmlentities() or htmlspecialchars() on your string before you insert it into the value attribute of your form element. It will come out decoded on the the other side, so you don't have to worry about that. Hope that helps. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in mail() message
From: 1LT John W. Holmes [EMAIL PROTECTED] I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! [snip] The way around this is to use htmlentities() or htmlspecialchars() on your string before you insert it into the value attribute of your form element. It will come out decoded on the the other side, so you don't have to worry about that. John, thanks for the fine reply -- problem solved! -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping '#' Sign
-Original Message- From: Mike Smith [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:47 Rendered results of a href... = http://company.com/custmaint.php?id=70class=cust=company T/T #29type=OEM id is the record id class is Null so that's OK. cust=company T/T #29 type=OEM I present the info in a form... echo td\n; echo input type=\text\ name=\cust\ value=\$cust\\n; echo /td\n; This gives me: ++ |company T/T | ++ *Note lack of #29 which I do see in the HTML table. If I save (UPDATE WHERE id=$id) this record cust will now be company T/T All the other fields fill in correctly. Is it seeing the # as a comment? Nope -- as an anchor name. Written like this, you're telling your browser to load the page identified by http://company.com/custmaint.php?id=70class=cust=company T/T (which, by the way, is probably invalid in itself, but we'll come to that!), and then go to the anchor named 29type=OEM on that page. What you need to do is urlencode() the value of the cust parameter before inserting it in your A href= tag, so that any characters which might cause problems (such as # or , or even space) don't appear in the rendered URL, but instead are encoded as a %xx value (or maybe + for a space -- can't remember which urlencode() does). This is all you need to do -- as it's a URL, it automatically gets URL-decoded by the Web server before being passed to your script, so you should see what you want. (But don't forget to re-urlencode it if you need to pass it on in another URL!) Hope this helps! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping '#' Sign
Thanks. That did it. What I came up with is: echo a href=\custmaint.php?id=$row[0]class=$row[1]cust=.urlencode($row[2]).ty pe=$row[3]\img alt=\Edit\ src=\images/edit.gif\ height=\24\ width=\24\ border=\0\ //a; Is this fundamentally flawed? You mentioned ...is probably invalid in itself, but we'll come to that. Were you referring to the space or the whole pasing of array variables in an URL. I'm trying to come up with a simple Edit form (custmaint.php) with a list of customers below the form. When you click on the edit.gif it links to itself ($PHP_SELF really). I've actually come a long way since I've started scripting in PHP, but would appreciate any pointers. Thanks for pointing me in the right direction! Mike Smith -Original Message- From: Ford, Mike [LSS] [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 4:22 AM To: 'Mike Smith'; PHP General Subject: RE: [PHP] Escaping '#' Sign -Original Message- From: Mike Smith [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:47 Rendered results of a href... = http://company.com/custmaint.php?id=70class=cust=company T/T #29type=OEM id is the record id class is Null so that's OK. cust=company T/T #29 type=OEM I present the info in a form... echo td\n; echo input type=\text\ name=\cust\ value=\$cust\\n; echo /td\n; This gives me: ++ |company T/T | ++ *Note lack of #29 which I do see in the HTML table. If I save (UPDATE WHERE id=$id) this record cust will now be company T/T All the other fields fill in correctly. Is it seeing the # as a comment? Nope -- as an anchor name. Written like this, you're telling your browser to load the page identified by http://company.com/custmaint.php?id=70class=cust=company T/T (which, by the way, is probably invalid in itself, but we'll come to that!), and then go to the anchor named 29type=OEM on that page. What you need to do is urlencode() the value of the cust parameter before inserting it in your A href= tag, so that any characters which might cause problems (such as # or , or even space) don't appear in the rendered URL, but instead are encoded as a %xx value (or maybe + for a space -- can't remember which urlencode() does). This is all you need to do -- as it's a URL, it automatically gets URL-decoded by the Web server before being passed to your script, so you should see what you want. (But don't forget to re-urlencode it if you need to pass it on in another URL!) Hope this helps! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping '#' Sign
-Original Message- From: Mike Smith Is this fundamentally flawed? You mentioned ...is probably invalid in itself, but we'll come to that. Were you referring to the space or the whole pasing of array variables in an URL. Yup, I meant the spaces, not the whole concept -- when I wrote that I intended to come back to invcalid characters in URLs, but got distracted between then and hitting Send! Your solution looks just about spot on. Cheers! Mike -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping '#' Sign
That didn't do it either. I should have been more specific. I can display
correct results in a HTML table. I have a Edit (A href) link to edit the
current record. ie...
?php
include('../db/junction.php'); //DB Connection - MSSQL 2000
include('header.php');
...
$sql = SELECT tblcustomer.id, tblseacust.ARC_NAME,cust, type\n;
$sql .= FROM tblcustomer\n;
$sql .= LEFT JOIN tblseacust ON tblcustomer.custclass=tblseacust.id\n;
$rst = mssql_query($sql);
...
while($row = mssql_fetch_array($rst)) {
echo tr\n;
echo td align=center\n;
echo font face=\Arial\ size=2;
echo a
href=\custmaint.php?id=$row[0]class=$row[1]cust=$row[2]type=$row[3]\i
mg alt=\Edit\ src=\images/edit.gif\ height=\24\ width=\24\
border=\0\ //a;
echo /td\n;
Rendered results of a href... =
http://company.com/custmaint.php?id=70class=cust=company T/T #29type=OEM
id is the record id
class is Null so that's OK.
cust=company T/T #29
type=OEM
I present the info in a form...
echo td\n;
echo input type=\text\ name=\cust\ value=\$cust\\n;
echo /td\n;
This gives me:
++
|company T/T |
++
*Note lack of #29 which I do see in the HTML table. If I save (UPDATE WHERE
id=$id) this record cust will now be company T/T
All the other fields fill in correctly. Is it seeing the # as a comment?
-Original Message-
From: Richard Baskett [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 11, 2002 3:57 PM
To: Mike Smith; PHP General
Subject: Re: [PHP] Escaping '#' Sign
Why don't you just try:
$cust2 = str_replace('#','#35;',$cust);
That should replace all instances of # with it's html entity equivalent. If
that doesn¹t work then there is something else wrong with your script and
we'll need to see it all! :)
Rick
People who drink to drown their sorrow should be told that sorrow knows how
to swim. - Ann Landers
I have a string I'm returning from a database. Some entries have # signs
in the names ie (COMPANY #42, COMPANY #43...). When I display results
all I have is COMPANY. Everything after the # is dropped off. I tried:
If ($cust) {
$cust2=ereg_replace('#','no',$cust);
//tried $cust2=ereg_replace(#,no,$cust); too
}
but that still returns the same thing (COMPANY).
Also tried:
$cust2 = preg_replace ('(pound|#163);'i, chr(163), $cust);
Any help is appreciated.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
