Re: [PHP] addslashes/stripslashes issue

2005-05-27 Thread Rasmus Lerdorf
JM wrote:
 Hi all,
 Ok here is what I need help with:
 
 $var = i like fi'sh;
 
 I'm able to addslashes(gather the data from a form), submit into the
 database, stripslashes(retrieve it).
 
 My problem is when I display it in a input type=text form the single
 quote is causing a truncation.
 
 input type=text value={$var}  
 will display as: 
 i like fi   
 in the text form...
 
 Any help?

Which browser is doing that?  If you really have double-quotes around
the value then single quotes inside shouldn't truncate anything.

eg.

  http://lerdorf.com/test.html

Do you see the single quote there?

-Rasmus

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] addslashes/stripslashes issue

2005-05-27 Thread John Nichel

JM wrote:

Hi all,
Ok here is what I need help with:

$var = i like fi'sh;

I'm able to addslashes(gather the data from a form), submit into the
database, stripslashes(retrieve it).

My problem is when I display it in a input type=text form the single
quote is causing a truncation.

input type=text value={$var}  
will display as: 
i like fi   
in the text form...


Any help?



http://us4.php.net/htmlentities

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] addslashes stripslashes

2004-01-28 Thread Marek Kilimajer
Will wrote:

I'm a little confused with these functions. How I here you ask. Well I
thought I understood what they were for: 
Escaping characters that might cause a problem when you enter your data
into a database query. i.e. \ '  
 
Anyway what is confusing me is, say I have a string which contains an '
e.g: that's mine. I would use addslashes so that the query wouldn't
upset mysql when it is entered. Viewing the data entry via phpmyadmin
the data is displayed as: that's mine (not: that\'s mine) Meaning that
when I extract the data from the database I need to use stripslashes
returning the string to: that's mine. (I thought that perhaps phpmyadmin
striped the slashes when displaying the data.)
 
However recently I encrypted some data which I stored in the database.
The string contained a \ which I added slashes to when entered in to the
database. But as the database appears to strips the first slash off the
double slash automatically. Upon retrieving the data and strip the
slashes off it, my data is now corrupt as there weren't double slashes
it was just a single (like it was supposed to be) and that got removed
by the function instead of the extra one. 
 
As I haven't had any data that contains a \ in it before I've never
noticed it's not made any difference before.
So Does this basically mean that there is no point using stripslashes on
the data you extract from the database.
True. that's mine is already stored in the database as that's mine 
(w/o the backslash), and the database returns this. If you have 
magic_quotes_runtime on, php will run addslashes on the database output, 
but it's usualy off.

Remember that the backslashes are to escape characters with special 
meaning (such as end of a string), but are not part of the actual 
string. They simply say the next character should be treated literaly.


 
Or am I just being an idiot :-)
 
Thanks
 
Will
 
 
  _  

I've stopped 46,346 spam messages. You can too!
One month FREE spam protection at www.cloudmark.com
http://www.cloudmark.com/spamnet?v1 
 http://www.cloudmark.com/spamnet?v1 Cloudmark SpamNet - Join the
fight against spam!

 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] addslashes stripslashes

2004-01-28 Thread memoimyself
Hello Will,

On 28 Jan 2004 at 12:31, Will wrote:

 However recently I encrypted some data which I stored in the database.
 The string contained a \ which I added slashes to when entered in to
 the database. But as the database appears to strips the first slash
 off the double slash automatically. Upon retrieving the data and strip
 the slashes off it, my data is now corrupt as there weren™t double
 slashes it was just a single (like it was supposed to be) and that got
 removed by the function instead of the extra one. 

Just adding to Marek's response in an attempt to make things clearer for you.

I think what's bothering you is the fact that you don't see the backslashes added by 
addslashes in the strings stored in the database. Well, that's because they are *not* 
actually added to the strings; they simply tell the database to treat whatever 
character 
comes after them (them = the backslashes) as regular text, not as symbols with special 
meanings (such as quotes, which MySQL would normally sees as string delimiters, not 
actual quotes in a string of text).

Since no backslashes have actually been added to the strings stored in the database, 
you don't need to (or, rather, should not) use stripslashes when retrieving the 
strings 
from the db.

By the way, consider using mysql_escape_string or mysql_real_escape_string instead 
of addslashes; consult the PHP manual for more info on these functions.

Cheers,

Erik

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] addslashes stripslashes

2004-01-28 Thread Ford, Mike [LSS]
On 28 January 2004 12:31, Will wrote:

 I'm a little confused with these functions. How I here you
 ask. Well I thought I understood what they were for:
 Escaping characters that might cause a problem when you enter
 your data into a database query. i.e. \ ' 
 
 Anyway what is confusing me is, say I have a string which
 contains an ' e.g: that's mine. I would use addslashes so
 that the query wouldn't upset mysql when it is entered.
 Viewing the data entry via phpmyadmin the data is displayed
 as: that's mine (not: that\'s mine) Meaning that when I
 extract the data from the database I need to use stripslashes
 returning the string to: that's mine.

Correct so far.  Let's do a little visualisation, using your example string
of that's mine:

* Start with the string you want to insert:   that's mine

* You apply addslashes to escape
  problematic characters.  This results in:   that\'s mine

* The database takes this string, translates
  the escape sequence to its unescaped
  equivalent, and inserts the result: that's mine

So, by this process, you have inserted into the database exactly what you
wanted -- in the process, it gets escaped in PHP, and then unescaped by
the database.  The bottom line here is, the slashes do *not* get inserted --
they are there simply to ensure that any potentially problematic characters
get stored correctly.

Now, when you retrieve this data, PHP takes a look at the setting of
magic_quotes_runtime, and if it is On does an on-the-fly addslashes() on the
retrieved value; so the result, when displayed will be:

* with magic_quotes_runtime = On: that\'s mine

* with magic_quotes_runtime = Off:that's mine

So, with magic_quotes_runtime Off, you get back exactly what you put in,
which is good for displaying on, say, an HTML page; with it On, you get a
version that's good for using in, say, another database query, but needs
stripslashes()ing before you display it.

Now to the meat of your query:

 However recently I encrypted some data which I stored in the
 database. The string contained a \ which I added slashes to
 when entered in to the database. But as the database appears
 to strips the first slash off the double slash automatically.
 Upon retrieving the data and strip the slashes off it, my
 data is now corrupt as there weren't double slashes it was
 just a single (like it was supposed to be) and that got
 removed by the function instead of the extra one.

Well, it's important to note here that the encryption of a string containing
problematic characters may not, itself, contain them -- and, of course, vice
versa! -- so the trick is to apply addslashes() (or whatever) to the values
*inserted into the database*.  This means that the sequence should be:

* encrypt string

* apply addslashes

* insert into database

The database will, as before, deslash the string as it is inserted, so that
when you later retrieve the encrypted value and decrypt it you will properly
get back what you started with.

If you addslashes() and then encrypt, you've just incorporated the added
slashes into the encrypted value -- and you have no protection against
encrypted values which themselves contain quotes or slashes.

 As I haven't had any data that contains a \ in it before I've
 never noticed it's not made any difference before.
 So Does this basically mean that there is no point using
 stripslashes on the data you extract from the database.

If you've correctly addslashes()ed it on the way in, then yes, there is no
point -- since the added slashes never actually make it into the database.
(Indeed, you may incorrectly remove slashes that were in the original data!)

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning  Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] addslashes/stripslashes

2002-11-06 Thread Paul Dionne
thanks guys, got it working now.  Removed Addslashes and it works fine.


1lt John W. Holmes wrote:

 I am trying to develop a search for my database.

 I used addslashes when entering the data, and then use addslashes with
 the search but nothing comes up:

 Select * from tblContacts, tblCountries WHERE
 (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE
 '%o\'mallies%' )

 I check in the database and o'mallies is indeed there as o\'mallies.  And
 a
 search for just mallies works fine.
 
 If you see it in the database as o\'mallies, then you are running
 addslashes() twice on the data you are inserting. If you insert o\'mallies
 into the database, the \ is only there to tell the database that the
 following character is escaped. In this case, the ' is not the end of the
 string, but something that should be included in the data that's put into
 the database. The actual \ isn't put in the database.
 
 So, with that said, you can fix your code and find out where you are
 addslashes() twice. You can run some queries to replace \' in your
 database with ', too.
 
 Or you can just search for o\\\'mallies in your database, which will
 search for a literal \ and a literal ' in the data.
 
 ---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] addslashes/stripslashes

2002-11-05 Thread Rudolf Visagie
Don't know which database you're using but in Oracle you would use:

Select * from tblContacts, tblCountries WHERE 
(tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE 
'%o''mallies%' )

Escape(\) is only used in PHP syntax, not SQL.

Regards


-Original Message-
From: Paul Dionne [mailto:PDionne;Speakeasy.net]
Sent: Tuesday, November 05, 2002 5:26 PM
To: [EMAIL PROTECTED]
Subject: [PHP] addslashes/stripslashes


Hey,

I am trying to develop a search for my database.

I used addslashes when entering the data, and then use addslashes with the 
search but nothing comes up:

Select * from tblContacts, tblCountries WHERE 
(tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE 
'%o\'mallies%' )

I check in the database and o'mallies is indeed there as o\'mallies.  And a 
search for just mallies works fine. 

What gives?

Thanks
Paul

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] addslashes/stripslashes

2002-11-05 Thread Rick Emery
what happens when you type:
Select * from tblContacts, tblCountries WHERE 
(tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE 
'%o\'mallies%' )

at the mysql command line?
- Original Message - 
From: Paul Dionne [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 05, 2002 9:25 AM
Subject: [PHP] addslashes/stripslashes


Hey,

I am trying to develop a search for my database.

I used addslashes when entering the data, and then use addslashes with the 
search but nothing comes up:

Select * from tblContacts, tblCountries WHERE 
(tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE 
'%o\'mallies%' )

I check in the database and o'mallies is indeed there as o\'mallies.  And a 
search for just mallies works fine. 

What gives?

Thanks
Paul

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] addslashes/stripslashes

2002-11-05 Thread 1LT John W. Holmes
 I am trying to develop a search for my database.

 I used addslashes when entering the data, and then use addslashes with the
 search but nothing comes up:

 Select * from tblContacts, tblCountries WHERE
 (tblContacts.CountryCode=tblCountries.CountryID) AND (Organization LIKE
 '%o\'mallies%' )

 I check in the database and o'mallies is indeed there as o\'mallies.  And
a
 search for just mallies works fine.

If you see it in the database as o\'mallies, then you are running
addslashes() twice on the data you are inserting. If you insert o\'mallies
into the database, the \ is only there to tell the database that the
following character is escaped. In this case, the ' is not the end of the
string, but something that should be included in the data that's put into
the database. The actual \ isn't put in the database.

So, with that said, you can fix your code and find out where you are
addslashes() twice. You can run some queries to replace \' in your database
with ', too.

Or you can just search for o\\\'mallies in your database, which will search
for a literal \ and a literal ' in the data.

---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] addslashes, stripslashes

2001-11-26 Thread Pat Lashley

--On Monday, November 26, 2001 04:47:35 PM -0800 Scott Aikin 
[EMAIL PROTECTED] wrote:

 I've come across a strange problem working backwards with stripslashes
 after running addslashes.  I take a string like:

 \t\4

 and run it through addslashes, the result is:

 \\t\\4

 After grabbing this data from the database and running 'stripslashes',
 the data comes out as:

 \t

 without the \4, for some reason stripslashes always removes any
 combination of \ and a number.  Does anybody know a way around this or
 can maybe provide some insight about why this is happening?

It probably isn't removing it, it's converting it into an EOT
character (0x04).  That's pretty standard for most environments
that do backslash substitution.  It should also convert \48 and
\060 into a '0' character.  (The first being decimal, the second
octal due to the leading zero.)



-Pat




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]