Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db and i was wondering if there
is function which can do this to any ' which DO NOT already have one
before them, this is so i can keep editing my text without all these \
building up.
Kind regards
Marc
13  1584 
monomaniac21 wrote: Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db and i was wondering if there
is function which can do this to any ' which DO NOT already have one
before them, this is so i can keep editing my text without all these \
building up.
Kind regards
Marc
see addslashes()
-david-
you also might want to try str_replace("'", "\\'", $string);
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
monomaniac21 wrote: Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db
Use mysql_escape_string().
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5NFj3jcQ2mg3Pc8RAl4VAJ9rlqun4z2P9TjfvBJadv NvDyLdbQCfQb2E
s9+gsTKP7sP1FwBL6J80k/Q=
=D5YK
-----END PGP SIGNATURE-----
monomaniac21 wrote: Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db and i was wondering if there
is function which can do this to any ' which DO NOT already have one
before them, this is so i can keep editing my text without all these \
building up.
Kind regards
Marc
I just include it in the insert statement since you must know the
datatype at insert time
$sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
Michael Austin
DBA.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote: $sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
PHP security 101: never ever put values posted by a user directly into a DB
query, without checking them, escaping them, and treating them as nuclear
waste.
The above is a very clear example of a SQL injection vulnerability.
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
5.1.2-1 generating this signature.
Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb 6LJ2oEigCfc4Md
8oq3CdWHeuGdAbzmVKbqEtY=
=3ktL
-----END PGP SIGNATURE-----
Iván Sánchez Ortega wrote: -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote:
$sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
PHP security 101: never ever put values posted by a user directly into a DB
query, without checking them, escaping them, and treating them as nuclear
waste.
The above is a very clear example of a SQL injection vulnerability.
- --
goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".
You also want to use a platform that is nearly impossible to crack. My
choice is OpenVMS from HP - formerly Compaq - formerly Digital Equipment
Corp (aka DEC).
more scalable and has REAL clusters - not these pretend clusters like
Veritas and Microsoft (bbbbarrfff).
I also prefer Apache/Oracle Rdb - formerly DEC/Rdb and not to be
confused with Oracle RDBMS (8/9/10g) and PHP.
M.
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
5.1.2-1 generating this signature.
Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb 6LJ2oEigCfc4Md
8oq3CdWHeuGdAbzmVKbqEtY=
=3ktL
-----END PGP SIGNATURE--
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote: $sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".
That's an example of a SQL injection, you should know that, and you should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.
This is how it should be done:
<?php
$varchar = mysql_real_escape_string($_POST['varchar']);
$integer = (int) $_POST['integer'];
$sqli = "insert into tableA values ('$varchar',$integer)";
?>
I will reiterate myself. Never ever trust *any* data entered by *any* user.
You also want to use a platform that is nearly impossible to crack.
Why should I matter about the platform, if anybody can inject SQL??
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Realidómetro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo
bKJv8KIXNnXuTjqv3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----
On 2006-02-04, mjs7231 <mj*****@gmail.com> wrote: you also might want to try str_replace("'", "\\'", $string);
$string="don\\'t do that.";
Bye.
Jasen
On 2006-02-04, David Haynes <da***********@sympatico.ca> wrote: monomaniac21 wrote: Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db and i was wondering if there
is function which can do this to any ' which DO NOT already have one
before them, this is so i can keep editing my text without all these \
building up.
Kind regards
Marc
see addslashes()
and stripslashes()
Bye.
Jasen
"Iván Sánchez Ortega" <i.***************@rroba--mirame.punto.net> wrote in
message news:hn************@blackspark.escomposlinux.org.. . -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote:
$sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".
That's an example of a SQL injection, you should know that, and you should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.
This is how it should be done:
how about one line with a little more security:
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>
I will reiterate myself. Never ever trust *any* data entered by *any*
user.
You also want to use a platform that is nearly impossible to crack.
Why should I matter about the platform, if anybody can inject SQL??
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Realidómetro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo
bKJv8KIXNnXuTjqv3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----
"Jim Michaels" <jm******@nospam.yahoo.com> wrote in message
news:I6******************************@comcast.com. ..
"Iván Sánchez Ortega" <i.***************@rroba--mirame.punto.net> wrote in
message news:hn************@blackspark.escomposlinux.org.. . -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
noone wrote:
>$sqli = "insert into tableA values ";
>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".
That's an example of a SQL injection, you should know that, and you
should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.
This is how it should be done:
how about one line with a little more security:
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>
OOPS! got the functions order-swapped. should strip semicolons out first.
otherwise, generated html named entities will be all messed up.
it would be even better to do a preg_match("/;/",$_POST'varchar']) to search
for injection attempts and lockout the user.
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>
I will reiterate myself. Never ever trust *any* data entered by *any*
user.
You also want to use a platform that is nearly impossible to crack.
Why should I matter about the platform, if anybody can inject SQL??
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Realidómetro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo
bKJv8KIXNnXuTjqv3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----
On Tue, 7 Feb 2006 23:46:17 -0800, "Jim Michaels" <jm******@nospam.yahoo.com>
wrote: how about one line with a little more security:
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";","",mysql_real_escape_string($_POS T['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>
If you're escaping the value correctly with mysql_real_escape_string and have
enclosed that in single quotes, there's no need to remove semicolons. All
you're doing is corrupting data; you're not adding any more security.
--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
> Jim Michaels wrote: "Jim Michaels" <jm******@nospam.yahoo.com> wrote in message
news:I6******************************@comcast.com. ..
OOPS! got the functions order-swapped. should strip semicolons out first.
otherwise, generated html named entities will be all messed up.
it would be even better to do a preg_match("/;/",$_POST'varchar']) to search
for injection attempts and lockout the user.
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>
Wow, as a PostgreSQL/PHP programmer I can honestly say that I am
shocked at some of the responses on this thread. Especially from
'noone'. But honestly, some of you guys know just enough to be
dangerous and not much else. Be careful around big red buttons ok?
-Robert This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chris Dunaway |
last post by:
When using a PropertyGrid, I have an object with a Date property, but I am
only interested in the Time portion. How do I make the PropertyGrid allow
editing the time only? Just the hours and...
|
by: Dennis Ruppert |
last post by:
I created a routine to read and edit the description properties of
tables, (the one you see in the database window). It works just fine.
This is the basic code behind it, I substituted all my...
|
by: Jeff Petter |
last post by:
I can't seem to get the update piece working properly while doing in-place editing. I don't receive any errors, but the update doesn't take place. From the examples I've used as "go bys" it looks...
|
by: tom c |
last post by:
I am going through "Walkthrough: Editing and Inserting Data in Web
Pages with the DetailsView Web Server Control" found at
http://msdn2.microsoft.com/en-us/library/sdba1d59.aspx
I am using...
|
by: Frnak McKenney |
last post by:
Can I use a bound ComboBox for both browsing and editing?
I'm working on a small, standalone database application using Visual
C#.NET 2003 and an Access data file.
In order to keep the number...
|
by: =?Utf-8?B?QWRhciBXZXNsZXk=?= |
last post by:
Hi All,
I have a GridView inside the EditItemTemplate of a FormView. Both FormView
and GridView are data bound using an ObjectDataSource. When the FormView's
ObjectDataSource object has a...
|
by: zivon |
last post by:
now for the bigger problam :)
I know you pepole hate using OE for sending emails, but its user friendly and its needed in this case...
I found on this forum, a code that sends email using OE...
|
by: hanusoft |
last post by:
This is an example of editing in DataGrid and Default Paging
http://www.hanusoftware.com
Html Design Code : -
<asp:DataGrid id="DataGrid1" DataKeyField="id" runat="server" Height="224px"...
|
by: sunita jadhav |
last post by:
my question is if i type in html textbox on key press event suppose i type 12345 values in textbox then i delete or edit any value of text box suppose i edit 3 and i insert the value 6 at 3 but i...
|
by: ee0jmt |
last post by:
Hopefully an easy question:
Using vb.net I have opened an xml file (which is encrypted) retreived the file information as a string, carry out some editing of the xml data. I now want to produce a...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
