Re: [PHP] addslashes/stripslashes issue
JM wrote: Hi all, Ok here is what I need help with: $var = i like fi'sh; I'm able to addslashes(gather the data from a form), submit into the database, stripslashes(retrieve it). My problem is when I display it in a input type=text form the single quote is causing a truncation. input type=text value={$var} will display as: i like fi in the text form... Any help? Which browser is doing that? If you really have double-quotes around the value then single quotes inside shouldn't truncate anything. eg. http://lerdorf.com/test.html Do you see the single quote there? -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes/stripslashes issue
JM wrote: Hi all, Ok here is what I need help with: $var = i like fi'sh; I'm able to addslashes(gather the data from a form), submit into the database, stripslashes(retrieve it). My problem is when I display it in a input type=text form the single quote is causing a truncation. input type=text value={$var} will display as: i like fi in the text form... Any help? http://us4.php.net/htmlentities -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes stripslashes
Will wrote: I'm a little confused with these functions. How I here you ask. Well I thought I understood what they were for: Escaping characters that might cause a problem when you enter your data into a database query. i.e. \ ' Anyway what is confusing me is, say I have a string which contains an ' e.g: that's mine. I would use addslashes so that the query wouldn't upset mysql when it is entered. Viewing the data entry via phpmyadmin the data is displayed as: that's mine (not: that\'s mine) Meaning that when I extract the data from the database I need to use stripslashes returning the string to: that's mine. (I thought that perhaps phpmyadmin striped the slashes when displaying the data.) However recently I encrypted some data which I stored in the database. The string contained a \ which I added slashes to when entered in to the database. But as the database appears to strips the first slash off the double slash automatically. Upon retrieving the data and strip the slashes off it, my data is now corrupt as there weren't double slashes it was just a single (like it was supposed to be) and that got removed by the function instead of the extra one. As I haven't had any data that contains a \ in it before I've never noticed it's not made any difference before. So Does this basically mean that there is no point using stripslashes on the data you extract from the database. True. that's mine is already stored in the database as that's mine (w/o the backslash), and the database returns this. If you have magic_quotes_runtime on, php will run addslashes on the database output, but it's usualy off. Remember that the backslashes are to escape characters with special meaning (such as end of a string), but are not part of the actual string. They simply say the next character should be treated literaly. Or am I just being an idiot :-) Thanks Will _ I've stopped 46,346 spam messages. You can too! One month FREE spam protection at www.cloudmark.com http://www.cloudmark.com/spamnet?v1 http://www.cloudmark.com/spamnet?v1 Cloudmark SpamNet - Join the fight against spam! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes stripslashes
Hello Will, On 28 Jan 2004 at 12:31, Will wrote: However recently I encrypted some data which I stored in the database. The string contained a \ which I added slashes to when entered in to the database. But as the database appears to strips the first slash off the double slash automatically. Upon retrieving the data and strip the slashes off it, my data is now corrupt as there werent double slashes it was just a single (like it was supposed to be) and that got removed by the function instead of the extra one. Just adding to Marek's response in an attempt to make things clearer for you. I think what's bothering you is the fact that you don't see the backslashes added by addslashes in the strings stored in the database. Well, that's because they are *not* actually added to the strings; they simply tell the database to treat whatever character comes after them (them = the backslashes) as regular text, not as symbols with special meanings (such as quotes, which MySQL would normally sees as string delimiters, not actual quotes in a string of text). Since no backslashes have actually been added to the strings stored in the database, you don't need to (or, rather, should not) use stripslashes when retrieving the strings from the db. By the way, consider using mysql_escape_string or mysql_real_escape_string instead of addslashes; consult the PHP manual for more info on these functions. Cheers, Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] addslashes stripslashes
On 28 January 2004 12:31, Will wrote: I'm a little confused with these functions. How I here you ask. Well I thought I understood what they were for: Escaping characters that might cause a problem when you enter your data into a database query. i.e. \ ' Anyway what is confusing me is, say I have a string which contains an ' e.g: that's mine. I would use addslashes so that the query wouldn't upset mysql when it is entered. Viewing the data entry via phpmyadmin the data is displayed as: that's mine (not: that\'s mine) Meaning that when I extract the data from the database I need to use stripslashes returning the string to: that's mine. Correct so far. Let's do a little visualisation, using your example string of that's mine: * Start with the string you want to insert: that's mine * You apply addslashes to escape problematic characters. This results in: that\'s mine * The database takes this string, translates the escape sequence to its unescaped equivalent, and inserts the result: that's mine So, by this process, you have inserted into the database exactly what you wanted -- in the process, it gets escaped in PHP, and then unescaped by the database. The bottom line here is, the slashes do *not* get inserted -- they are there simply to ensure that any potentially problematic characters get stored correctly. Now, when you retrieve this data, PHP takes a look at the setting of magic_quotes_runtime, and if it is On does an on-the-fly addslashes() on the retrieved value; so the result, when displayed will be: * with magic_quotes_runtime = On: that\'s mine * with magic_quotes_runtime = Off:that's mine So, with magic_quotes_runtime Off, you get back exactly what you put in, which is good for displaying on, say, an HTML page; with it On, you get a version that's good for using in, say, another database query, but needs stripslashes()ing before you display it. Now to the meat of your query: However recently I encrypted some data which I stored in the database. The string contained a \ which I added slashes to when entered in to the database. But as the database appears to strips the first slash off the double slash automatically. Upon retrieving the data and strip the slashes off it, my data is now corrupt as there weren't double slashes it was just a single (like it was supposed to be) and that got removed by the function instead of the extra one. Well, it's important to note here that the encryption of a string containing problematic characters may not, itself, contain them -- and, of course, vice versa! -- so the trick is to apply addslashes() (or whatever) to the values *inserted into the database*. This means that the sequence should be: * encrypt string * apply addslashes * insert into database The database will, as before, deslash the string as it is inserted, so that when you later retrieve the encrypted value and decrypt it you will properly get back what you started with. If you addslashes() and then encrypt, you've just incorporated the added slashes into the encrypted value -- and you have no protection against encrypted values which themselves contain quotes or slashes. As I haven't had any data that contains a \ in it before I've never noticed it's not made any difference before. So Does this basically mean that there is no point using stripslashes on the data you extract from the database. If you've correctly addslashes()ed it on the way in, then yes, there is no point -- since the added slashes never actually make it into the database. (Indeed, you may incorrectly remove slashes that were in the original data!) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes/stripslashes
thanks guys, got it working now. Removed Addslashes and it works fine. 1lt John W. Holmes wrote: I am trying to develop a search for my database. I used addslashes when entering the data, and then use addslashes with the search but nothing comes up: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o\'mallies%' ) I check in the database and o'mallies is indeed there as o\'mallies. And a search for just mallies works fine. If you see it in the database as o\'mallies, then you are running addslashes() twice on the data you are inserting. If you insert o\'mallies into the database, the \ is only there to tell the database that the following character is escaped. In this case, the ' is not the end of the string, but something that should be included in the data that's put into the database. The actual \ isn't put in the database. So, with that said, you can fix your code and find out where you are addslashes() twice. You can run some queries to replace \' in your database with ', too. Or you can just search for o\\\'mallies in your database, which will search for a literal \ and a literal ' in the data. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] addslashes/stripslashes
Don't know which database you're using but in Oracle you would use: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o''mallies%' ) Escape(\) is only used in PHP syntax, not SQL. Regards -Original Message- From: Paul Dionne [mailto:PDionne;Speakeasy.net] Sent: Tuesday, November 05, 2002 5:26 PM To: [EMAIL PROTECTED] Subject: [PHP] addslashes/stripslashes Hey, I am trying to develop a search for my database. I used addslashes when entering the data, and then use addslashes with the search but nothing comes up: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o\'mallies%' ) I check in the database and o'mallies is indeed there as o\'mallies. And a search for just mallies works fine. What gives? Thanks Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes/stripslashes
what happens when you type: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o\'mallies%' ) at the mysql command line? - Original Message - From: Paul Dionne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 05, 2002 9:25 AM Subject: [PHP] addslashes/stripslashes Hey, I am trying to develop a search for my database. I used addslashes when entering the data, and then use addslashes with the search but nothing comes up: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o\'mallies%' ) I check in the database and o'mallies is indeed there as o\'mallies. And a search for just mallies works fine. What gives? Thanks Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes/stripslashes
I am trying to develop a search for my database. I used addslashes when entering the data, and then use addslashes with the search but nothing comes up: Select * from tblContacts, tblCountries WHERE (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE '%o\'mallies%' ) I check in the database and o'mallies is indeed there as o\'mallies. And a search for just mallies works fine. If you see it in the database as o\'mallies, then you are running addslashes() twice on the data you are inserting. If you insert o\'mallies into the database, the \ is only there to tell the database that the following character is escaped. In this case, the ' is not the end of the string, but something that should be included in the data that's put into the database. The actual \ isn't put in the database. So, with that said, you can fix your code and find out where you are addslashes() twice. You can run some queries to replace \' in your database with ', too. Or you can just search for o\\\'mallies in your database, which will search for a literal \ and a literal ' in the data. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] addslashes, stripslashes
--On Monday, November 26, 2001 04:47:35 PM -0800 Scott Aikin [EMAIL PROTECTED] wrote: I've come across a strange problem working backwards with stripslashes after running addslashes. I take a string like: \t\4 and run it through addslashes, the result is: \\t\\4 After grabbing this data from the database and running 'stripslashes', the data comes out as: \t without the \4, for some reason stripslashes always removes any combination of \ and a number. Does anybody know a way around this or can maybe provide some insight about why this is happening? It probably isn't removing it, it's converting it into an EOT character (0x04). That's pretty standard for most environments that do backslash substitution. It should also convert \48 and \060 into a '0' character. (The first being decimal, the second octal due to the leading zero.) -Pat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]