mysql_real_esca pe_string() is apparently chopping off anything that
follows a quote when I grab the data & put it in a form for editing.
Sorry if I'm not explaining this properly, I'm pretty confused about
what's going on but I'm guessing someone recognizes this problem.
I have code like this:
function db_safe($str) {
$str = addslashes($str );
return $str;
}
function html_safe($str) {
$str = stripslashes($s tr);
return $str;
}
That's on my live server, I'm not sure if magic quotes is on there or I
forgot to update because my test server version look like:
function db_safe($str) {
// $str = addslashes($str );
$str = mysql_real_esca pe_string($str) ;
Anyways then there's code like this:
if (isset($_REQUES T["submit"])) {
$latin_name = html_safe($_REQ UEST["latin_name "]);
if ((isset($_REQUE ST["option"])) && ($_REQUEST["option"] == "update")) {
$id = $_REQUEST["id"];
$latin_name=db_ safe($latin_nam e);
and this is where it's chopping off text after the quote:
<form action=.......
<input type='text' size='57' name='latin_nam e' value="<?=$lati n_name?>"> 7 1663
Paul Furman wrote:
mysql_real_esca pe_string() is apparently chopping off anything that
follows a quote when I grab the data & put it in a form for editing.
Sorry if I'm not explaining this properly, I'm pretty confused about
what's going on but I'm guessing someone recognizes this problem.
It's only chopping off for one of the fields with a single quote. Double
quote are OK. I don't see where I'm doing anything different with the
two fields.
I have code like this:
function db_safe($str) {
$str = addslashes($str );
return $str;
}
function html_safe($str) {
$str = stripslashes($s tr);
return $str;
}
That's on my live server, I'm not sure if magic quotes is on there or I
forgot to update because my test server version look like:
function db_safe($str) {
// $str = addslashes($str );
$str = mysql_real_esca pe_string($str) ;
Anyways then there's code like this:
if (isset($_REQUES T["submit"])) {
$latin_name = html_safe($_REQ UEST["latin_name "]);
if ((isset($_REQUE ST["option"])) && ($_REQUEST["option"] ==
"update")) {
$id = $_REQUEST["id"];
$latin_name=db_ safe($latin_nam e);
and this is where it's chopping off text after the quote:
<form action=.......
<input type='text' size='57' name='latin_nam e' value="<?=$lati n_name?>">
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
..oO(Paul Furman)
>mysql_real_esc ape_string() is apparently chopping off anything that follows a quote when I grab the data & put it in a form for editing.
It doesn't chop off anything, it's a bug in your output code.
>and this is where it's chopping off text after the quote:
<form action=....... <input type='text' size='57' name='latin_nam e' value="<?=$lati n_name?>">
Two things:
* Don't rely on short open tags, use <?php echo ...?instead.
* Have a look at the generated HTML source code - it's all there, just
improperly escaped. When printing anything to an HTML page, use
htmlspecialchar s() to escape those characters that have a special
meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
the manual for details. http://www.php.net/htmlspecialchars
Micha
Michael Fesser wrote:
.oO(Paul Furman)
>>mysql_real_es cape_string() is apparently chopping off anything that follows a quote when I grab the data & put it in a form for editing.
It doesn't chop off anything, it's a bug in your output code.
>>and this is where it's chopping off text after the quote:
<form action=....... <input type='text' size='57' name='latin_nam e' value="<?=$lati n_name?>">
Ah, thank you!!
The bad field was using single quotes:
value='<?=$comm on_name?>'>
The good field had double quotes:
value="<?=$comm on_name?>">
Two things:
* Don't rely on short open tags, use <?php echo ...?instead.
Yes, thanks, my code is quite a mess, partly due to collaboration. I
wondered why some were done in that fashion, now I know it's not good
practice.
* Have a look at the generated HTML source code - it's all there, just
improperly escaped. When printing anything to an HTML page, use
htmlspecialchar s() to escape those characters that have a special
meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Michael Fesser wrote:
>When printing anything to an HTML page, use htmlspecialcha rs() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().
Just a followup on the htmlspecialchar s idea, I tried it & had to
disable it... if I used that, I'd need to be more selective than my
html_safe function because it disabled my ability to add content from
the admin interface with links & images. But thanks for mentioning it.
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Paul Furman wrote:
>Michael Fesser wrote:
>>When printing anything to an HTML page, use htmlspecialch ars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchar s idea, I tried it & had to
disable it... if I used that, I'd need to be more selective than my
html_safe function because it disabled my ability to add content from
the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
Paul Furman wrote:
>Paul Furman wrote:
>>Michael Fesser wrote:
When printing anything to an HTML page, use htmlspecialc hars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchar s idea, I tried it & had to disable it... if I used that, I'd need to be more selective than my html_safe function because it disabled my ability to add content from the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.
Yes, agreed. My html_safe() function is being applied to anything that
leaves the mySQL database and anything entering gets the db_safe()
function applied. I don't really know why I'd need it except as a
catch-all at this point but good to know it exists if I encounter these
problems again and another handy way to display html code without being
interpreted by the browser.
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Jerry Stuckle wrote:
>Paul Furman wrote:
>>Paul Furman wrote: Michael Fesser wrote:
When printing anything to an HTML page, use htmlspecial chars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details. > http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchar s idea, I tried it & had to disable it... if I used that, I'd need to be more selective than my html_safe function because it disabled my ability to add content from the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to be called for everything you're displaying.
Yes, agreed. My html_safe() function is being applied to anything that
leaves the mySQL database and anything entering gets the db_safe()
function applied. I don't really know why I'd need it except as a
catch-all at this point but good to know it exists if I encounter these
problems again and another handy way to display html code without being
interpreted by the browser.
Yep, but I just call mysql_real_esca pe_string() on the data as it is
being inserted into the database, i.e.
$result = mysql_query('IN SERT INTO mytable VALUES (' .
mysql_real_esca pe_string($val) . ')');
Or if I'm going to display the data:
echo htmlspecialchar s($val);
I don't change the variable itself. I might need it in it's "pure form"
again.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael G |
last post by:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?
I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with...
|
by: Marcus |
last post by:
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().
|
by: frizzle |
last post by:
Hi groupies,
I have 2 small questions, which i really want to be sure about:
- does mysql_real_escape_string() prevent any kind of mysq-injection?
- can it put escaped quotes etc in the DB, or are those automatically
'converted' again?
Thanks!
|
by: comp.lang.php |
last post by:
when trying to use the mysql_real_escape_string() function, the
following warning occurs:
First of all, the user is not 'web' trying to connect to the database,
secondly, what is mysql_real_escape_string() doing connecting to the
database, as 'web' or anyone else, and thirdly, why is this happening,
does anyone know?
|
by: zach |
last post by:
I created a comment form which will inserts the comments into a database
and displays them immediately. I want to make sure that its safe from
users inserting unwanted data into the database or executing queries.
Here's my php code, is this done right? Is there anything else I should
to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
| |
by: redog6 |
last post by:
Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.
I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.
I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a...
|
by: ndlarsen |
last post by:
Hello.
It's been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a database instead? Which is
better for security reasons, addslashes() or mygql_real_escape_string()?
Thanks you.
Regards
|
by: thelma |
last post by:
My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn't
do anything more? ?
--thelma
|
by: roseple |
last post by:
Hi, can anyone please help me why I got this error every I uploaded files.
Error:
Here is the code on the said warning message:
# Gather all required data
$name = mysql_real_escape_string($dbLink, $_FILES);
$mime = mysql_real_escape_string($dbLink, $_FILES);
$size = $_FILES;
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |