473,573 Members | 4,482 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

problem passing quote and double quote in IE7 pages

I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.

$query = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';

The above works perfectly but if I attempt to pass the sql string into the
page as follows:

sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cp ustats.php?sqlC MD=" + sqlCMD,"_blank" );

I see the following on the IE7 explorer address bar:

myserver/mysite/cpustats.php?sq lCMD=SELECT * FROM cpuinfo where Description
like "%xcell%" or Description like "%q6600%"

AGAIN, ONE WOULD THINK THERE IS NOTHING WRONG WITH THE ABOVE.

Low and behold, the following code
$query = $_REQUEST['sqlCMD'] ;
print ($query);

gets expanded to:

SELECT * FROM cpuinfo where Description like \"%xcell%\" or Description like
\"%q6600%\"

I do not know why I see the backslash before the quote. Swapping single and
double quotes has no effect. $_REQUEST seems to substitute backslash before
any quote in a string. My guess is that IE7 (also FF) put it in. The MySql
query fails as it does not handle the backslash before the double (or
single) quote. I would hate to have to parse thru the string and remove the
backslash character when it is before a quote.

anyway, I am open to any suggestions. I am tired of googleing this. All I
found on google were attempts to add backslashes, not get rid of them.
...tia..

ps - if I actually add a \" then I get three backslashes.
Nov 12 '08 #1
6 3175
Joseph Stateson escribió:
I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.
These are the infamous "magic quotes":

http://es2.php.net/magic_quotes

To sum up: disable them. Set magic_quotes_gp c to off in your php.ini file.

By the way... They've been disabled by default for several years now so
it's likely that you have some other discouraged settings in your PHP
config. Check, for instance, register_global s:

http://es2.php.net/register_globals
sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cp ustats.php?sqlC MD=" + sqlCMD,"_blank" );
This is an interesting architecture. So users can remotely query any
random data they want? Can they also run inserts and deletes?

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--
Nov 12 '08 #2
myserver/mysite/cpustats.php?sq lCMD=SELECT * FROM cpuinfo where
Description like "%xcell%" or Description like "%q6600%"
There's a lot wrong with that. Before adding the querystring to the URL
it will have to be encoded

It should be something like:
myserver/mysite/cpustats.php?sq lCMD=SELECT%20* %20FROM%20cpuin fo%20where%20De scription%20lik e%20%22%25xcell %25%22%20or%20D escription%20li ke%20%22%25q660 0%25%22

Notice that all spaces have been changed to %20, all quotes to %22, and
all % to %25. As an alternative, the spaces could be changed to +
instead of %20.

The page cpustats.php will have to change these entities back before
processing the SQL.

In asp the encoding is done using Server.URLEncod e(stringToEncod e). I
don't know the method for PHP.

Note that % is a reserved character in a URL, which is why it has to be
changed, and some browsers stop reading querystrings at the first space.

--
Ron Symonds - Microsoft MVP (Expression)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp


"Joseph Stateson" <jo************ @att.netwrote in message
news:fV******** *********@nlpi0 65.nbdc.sbc.com :
I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.

$query = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';

The above works perfectly but if I attempt to pass the sql string into the
page as follows:

sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cp ustats.php?sqlC MD=" + sqlCMD,"_blank" );

I see the following on the IE7 explorer address bar:

myserver/mysite/cpustats.php?sq lCMD=SELECT * FROM cpuinfo where Description
like "%xcell%" or Description like "%q6600%"

AGAIN, ONE WOULD THINK THERE IS NOTHING WRONG WITH THE ABOVE.

Low and behold, the following code
$query = $_REQUEST['sqlCMD'] ;
print ($query);

gets expanded to:

SELECT * FROM cpuinfo where Description like \"%xcell%\" or Description like
\"%q6600%\"

I do not know why I see the backslash before the quote. Swapping single and
double quotes has no effect. $_REQUEST seems to substitute backslash before
any quote in a string. My guess is that IE7 (also FF) put it in. The MySql
query fails as it does not handle the backslash before the double (or
single) quote. I would hate to have to parse thru the string and remove the
backslash character when it is before a quote.

anyway, I am open to any suggestions. I am tired of googleing this. All I
found on google were attempts to add backslashes, not get rid of them.
..tia..

ps - if I actually add a \" then I get three backslashes.
Nov 12 '08 #3
giving up the right to remain silent
""Álvaro G. Vicario"" <al************ ****@demogracia .comwrote in message
news:gf******** **@huron.algoma s.org...
Joseph Stateson escribió:
>I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single
quote and I cannot figure out how to get ride of it.

These are the infamous "magic quotes":

http://es2.php.net/magic_quotes
thanks Álvaro I would not have known to google magic quotes. I did get as
far as "extra quote php" before giving up.
To sum up: disable them. Set magic_quotes_gp c to off in your php.ini file.

By the way... They've been disabled by default for several years now so
it's likely that you have some other discouraged settings in your PHP
config. Check, for instance, register_global s:

http://es2.php.net/register_globals
I hunted, but never found that php.ini file. I am a home yahoo'er and have
yahoo web space and yahoo.com provides MySql and shows database examples
only in perl and php. They do not do aspx or I would be using that. If I
have a php.ini file somewhere I cannot find php.ini in my home pages but I
might have missed it as I was using ftp to browse the directories. I
downloaded odbc drivers for FP2003 but they will not connect to yahoo's
server so that is how I got into php. I suspect their server has the
php.ini file and I do not have access to it.

I followed yahoo's instructions and created their MySql database at
http://swri.info/gpustats I had been hoping that microsoft would buy yahoo
and fix some other problems and magic_quotes is one more they could fix. I
had a hunch something was wrong when a newbie like me found an error in
yahoo's one and only sample perl script at
http://help.yahoo.com/l/us/att/small.../mysql-12.html
eg:, the: $row[0\
I got a thankyou this morning for notifiying them, but am not holding my
breath. I will now complain about the magic quotes but I dont think they
will do anything.
>sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cp ustats.php?sqlC MD=" + sqlCMD,"_blank" );

This is an interesting architecture. So users can remotely query any
random data they want? Can they also run inserts and deletes?
yea - I am not yet checking for malicious code yet. I was lucky to get my
first ever php page working and it was nice to be able to change the query
from explorer or FF while debugging. I will probably pass the sql command
in a psudo-session variable. That too, is subject to getting hacked but is
not as obvious as providing the sql command in the url.

...thanks..

Joseph "Beemer Biker" Stateson
http://ResearchRiders.org
ask about my 1999 R1100RT
Nov 12 '08 #4
giving up the right to remain silent
"Ronx" <ro*****@hotmai l.comwrote in message
news:Ov******** ******@TK2MSFTN GP06.phx.gbl...
myserver/mysite/cpustats.php?sq lCMD=SELECT * FROM cpuinfo where
Description like "%xcell%" or Description like "%q6600%"
There's a lot wrong with that. Before adding the querystring to the URL
it will have to be encoded

It should be something like:
myserver/mysite/cpustats.php?sq lCMD=SELECT%20* %20FROM%20cpuin fo%20where%20De scription%20lik e%20%22%25xcell %25%22%20or%20D escription%20li ke%20%22%25q660 0%25%22

Notice that all spaces have been changed to %20, all quotes to %22, and
all % to %25. As an alternative, the spaces could be changed to + instead
of %20.

The page cpustats.php will have to change these entities back before
processing the SQL.

In asp the encoding is done using Server.URLEncod e(stringToEncod e). I
don't know the method for PHP.

Note that % is a reserved character in a URL, which is why it has to be
changed, and some browsers stop reading querystrings at the first space.
<big snip>

Thanks Ron, I will come up with another way to pass the query from my FP2003
project to the php code. The php code was written to allow FP2003 to access
the yahoo MySql server that is "free" on my home web page. It would be nice
if microsoft would buy yahoo and start supporting aspx , sqlserver and still
keep it "free".

Anyway, I found a psudo-session variable tool
- sessvars ver 1.01
- JavaScript based session object
- copyright 2008 Thomas Frank

and will be using that to pass the sql string to my php page when it loads.
Joseph "Beemer Biker" Stateson
http://ResearchRiders.org
ask about my 1999 R1100RT

Nov 12 '08 #5
Joseph Stateson escribió:
thanks Álvaro I would not have known to google magic quotes. I did get as
far as "extra quote php" before giving up.
First of all, make sure your problem is related to PHP settings. You can
read your current config with phpinfo(), which prints an HTML table with
all the configuration values.

I hunted, but never found that php.ini file. I am a home yahoo'er and have
yahoo web space and yahoo.com provides MySql and shows database examples
only in perl and php.
The previous script will tell you the path of the php.ini file in use.
In shared hosting, you might have a custom php.ini file for yourself
(somewhere in your FTP space) or you might not. If you don't, you can
provide PHP settings in some other ways, but it depends on many
factors... However, a quick look at the Yahoo help suggest that you
can't really change anything:

http://help.yahoo.com/l/us/att/small...hp/php-36.html

As last resort, you can always remove these extra backslashes with
stripslashes(). See example #2 at:

http://us2.php.net/manual/en/securit....disabling.php

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--
Nov 12 '08 #6
giving up the right to remain silent
""Álvaro G. Vicario"" <al************ ****@demogracia .comwrote in message
news:gf******** **@huron.algoma s.org...
Joseph Stateson escribió:
>thanks Álvaro I would not have known to google magic quotes. I did get
as far as "extra quote php" before giving up.

First of all, make sure your problem is related to PHP settings. You can
read your current config with phpinfo(), which prints an HTML table with
all the configuration values.

>I hunted, but never found that php.ini file. I am a home yahoo'er and
have yahoo web space and yahoo.com provides MySql and shows database
examples only in perl and php.

The previous script will tell you the path of the php.ini file in use. In
shared hosting, you might have a custom php.ini file for yourself
(somewhere in your FTP space) or you might not. If you don't, you can
provide PHP settings in some other ways, but it depends on many factors...
However, a quick look at the Yahoo help suggest that you can't really
change anything:

http://help.yahoo.com/l/us/att/small...hp/php-36.html

As last resort, you can always remove these extra backslashes with
stripslashes(). See example #2 at:

http://us2.php.net/manual/en/securit....disabling.php
I tried putting php.ini in the directory with the scripts but it had no
effect. The #2 did work (deep backslash).

It was not possible to use that psudo-session variable because php runs at
the server and jscript at the browser. I am allowing only the "where" part
of the sql command to be utilized so I should be ok and I am also using an
encode as suggested by Ronx. I also figured out what I was doing wrong
and no longer need to use that psudo-session variable to retain info in the
html page. If I knew more about php *AND* it had a drag and drop
toolkit like frontpage or Visual Studio, I would do all the coding in php.

http://swri.info/cpustats
Nov 13 '08 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
1721
by: SB | last post by:
Ok, very simple problem. I'm trying to update a value by calling a function using pass by reference, but it does not update the value. In short, the value I'm trying to update is balance, which is a private member of the class Account. I have a public function called getBalance(). I have another public function called deposit, which I pass the...
39
19588
by: Martin Jørgensen | last post by:
Hi, I'm relatively new with C-programming and even though I've read about pointers and arrays many times, it's a topic that is a little confusing to me - at least at this moment: ---- 1) What's the difference between these 3 statements: (i) memcpy(&b, &KoefD, n); // this works somewhere in my code
3
2123
by: ishwarbg | last post by:
Hi Everyone, I have a .Net Application, through which I am invoking a function from a legacy DLL developed in C++. My structure in C# contains some data of type double which I need to pass to to the DLL to get some results back from it. My Structure In C# looks like this: public struct InputPurchaseOrder { public...
18
2844
by: tbringley | last post by:
I am a c++ newbie, so please excuse the ignorance of this question. I am interested in a way of having a class call a general member function of another class. Specifically, I am trying to write an ordinary differential equation class that would solve a general equation in the form: dx/dt = f(x,t). The ode class shouldn't know anything...
4
1434
by: StephQ | last post by:
I'm still working on the library for the simulation of SDEs. The following test code compiles fine with the digital mars compiler, but fails with gcc. Error: no matching function for call to 'prova(Diff_sine&, double, double)' #include <iostream> #include "math.h"
7
2011
by: aaragon | last post by:
Hi everyone, The idea is quite simple: generate a container with random values in it. For that, I decided to create a class that I called RandomContainer that inherits from a container (with default value std::vector<T>). To handle the different ways that the values are randomized, I created a traits class. The problem that I have, is that...
9
1684
by: Dave | last post by:
Hi guys, I have just set up a duplicate server running: apache 2.54, mysql 5.04 and php 5.04 This is the same setup as as the server we are using now, apart from the hardware inside. I have copied across the database and website, with exact same permissions as the first server. The problem is that part of the php code is executing but...
5
3417
by: Ray D. | last post by:
Okay, so I'm trying to typecast a random integer into a double, and store that in an array of doubles. Here is my code: void randomMatrix(double *x) { int i, random; // Generate pseudo-random sequence // Restrict range to 9
2
2959
by: Dark Wind | last post by:
Hi, I have been using OPT++ to solve a non linear programming problem. I am totally new to C++, but I looked at an example given on OPT++ website and modified it according to my problem. But I am getting some error there. Since I don't have analytical derivatives, I am using FDNLF1 type of problem and optimization method used is...
0
7741
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7661
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7978
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8167
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
8028
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5550
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3692
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
2164
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
987
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.