473,320 Members | 1,936 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

escaping, stripslashes and magic quotes!

Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.

Regards,
Dave
Jul 17 '05 #1
4 4392
"Dave Moore" <da**********@post2me.freeserve.co.uk> kirjoitti
viestissä:d7**********@newsg1.svr.pol.co.uk...
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.

Imagine you have a database where you insert names. You use a SQL query:
INSERT INTO names VALUES('John Doe')

Here the name John Doe is isolated with pair of '' quotes. That's how MySQL
knows where the name begins and where it ends.

Now an italian guy comes with a name like Giovanni D'Angelo. Look what
happens:
INSERT INTO names VALUES('Giovanni D'Angelo')

Here MySQL sees a string Giovanni D and some crap after that, since it
interprets the first occurance of ' as the end of the string. This is:
unless it is ESCAPED. Escaping means we tell MySQL that the particular ' is
in fact a part of the string and not the ending quote:

INSERT INTO names VALUES('Giovanni D\'Angelo')

the ' in D'Angelo is escaped with backslash: \' . Now MySQL bypasses it
thanks to the escaping and sees the string as "Giovanni D'Angelo" and works
correctly.

Magic Quotes is a mechanism of PHP that automatically escapes all user
inputs. So that when D'Angelo typed his name and submitted the form, it
comes to PHP already escaped, as "Giovanni D\'Angelo" and you don't have to
worry about it. If the magic qoutes are turned off, you need to do the
escaping by yourself for each input you want. And addslashes does just this.

--
"I am pro death penalty. That way people learn
their lesson for the next time." -- Britney Spears

et****************@5P4Mgmail.com
Jul 17 '05 #2
Dave Moore said the following on 28/05/2005 18:44:
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.


Imagine you're putting some data into a MySQL database. You might do
something like:

mysql_query("INSERT INTO table (name) VALUES ('$name')");

where $name is a string.
If $name was "John", the query string would become:

INSERT INTO table (name) VALUES ('John')

No problem there. But if $name was "Hell's Bells", then the string becomes:

INSERT INTO table (name) VALUES ('Hell's Bells')

Now, there's a mismatch in the number of single quotes, and this will
cause a MySQL error.

To get around this, one indicates a single-quote *within* a value string
using \' i.e backslash, single-quote. This is called "escaping" (one
escapes from the syntax processing that would normally occur).

All strings must be "escaped" before being put into an SQL query using
mysql_real_escape_string(), which does the conversion above (as well as
a few others). So your command would be:

mysql_query("INSERT INTO table (name) VALUES ('"
. mysql_real_escape_string($name) . "')");
Magic Quotes is something that seemed like a good idea back in the
earlier days of PHP. Basically, when Magic Quotes is turned on, all GET,
POST and COOKIE variables are automatically escaped ready for use in a
database query. This is to save lazy people time, so that they don't
have to call mysql_real_escape_string() each time.

However, they *will* have to call stripslashes() (which removes the
escaping from the string) whenever they want to use the string in a
normal context. So it's actually just a pain. If you have control of
your PHP configuration, turn magic-quotes off.

If not, you'll have to do something like at the top of your scripts:

if (get_magic_quotes_gpc())
{
foreach ($_GET as $key=>$value)
{
$_GET["key"] = stripslashes($value);
}
}
P.S. The best place to start on reading about anything PHP-related is
the online manual: http://www.php.net/manual.

--
Oli
Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: lawrence | last post by:
Over on www.monkeyclaus.org I'm getting back slashes showing up on my web pages, where this function outputs. This despite the explicit use of stripslashes(). Does anyone know why this might be?
0
by: Reply Via Newsgroup Thanks | last post by:
Folks, This questions is directed towards PHP/MySQL folk and relates to escaping hooks, apostraphe's and other characters that can create a security hole when writing to databases/files. I've...
11
by: Dave Smithz | last post by:
Having adopted someone else's PHP cope and completing a crash course in the language I came across a (probably common) problem with the current code. On a registration form, whenever users names...
1
by: Ted Weatherly | last post by:
Hello, I want to dynamically create a table cell with a textfield in it. The value for the textfield can have quotes. e.g. I have this snippet of javascript code: var td =...
4
by: Stefan Richter | last post by:
How do I encode double quotes and quotes and in a string in VB.NET? It also has to be save for MS SQL Server... Stefan
5
by: Lucian Sandor | last post by:
Hello everyone, While I'm a newbie here, I a not new to google, so please don't send me back, it would be useless. First of all I have to specify I am working on a Blogger.com template, therefore...
7
by: duwayne | last post by:
I have a problem of escaping quotes in javascript. Ex: onclick='alert( "Mister O'Hara" )' onclick='alert( "Mister O\'Hara" )' both gives me an error. How would I escape this?
3
by: Taras_96 | last post by:
Hi everyone, I'm having a bit of trouble understanding the purpose of escaping nulls, and the use of addcslashes. Firstly, the manual states that: "Strictly speaking, MySQL requires only...
6
by: Sergei Riaguzov | last post by:
Hmm, I can apply stripslashes() to a string, causing it to remove slashes near quotes (\") but how can I change this quotes to appropriate HTML quotes like &quot;?
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.