mysql_real_escape_string() is apparently chopping off anything that
follows a quote when I grab the data & put it in a form for editing.
Sorry if I'm not explaining this properly, I'm pretty confused about
what's going on but I'm guessing someone recognizes this problem.
I have code like this:
function db_safe($str) {
$str = addslashes($str);
return $str;
}
function html_safe($str) {
$str = stripslashes($str);
return $str;
}
That's on my live server, I'm not sure if magic quotes is on there or I
forgot to update because my test server version look like:
function db_safe($str) {
// $str = addslashes($str);
$str = mysql_real_escape_string($str);
Anyways then there's code like this:
if (isset($_REQUEST["submit"])) {
$latin_name = html_safe($_REQUEST["latin_name"]);
if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] == "update")) {
$id = $_REQUEST["id"];
$latin_name=db_safe($latin_name);
and this is where it's chopping off text after the quote:
<form action=.......
<input type='text' size='57' name='latin_name' value="<?=$latin_name?>"> 7 1632
Paul Furman wrote:
mysql_real_escape_string() is apparently chopping off anything that
follows a quote when I grab the data & put it in a form for editing.
Sorry if I'm not explaining this properly, I'm pretty confused about
what's going on but I'm guessing someone recognizes this problem.
It's only chopping off for one of the fields with a single quote. Double
quote are OK. I don't see where I'm doing anything different with the
two fields.
I have code like this:
function db_safe($str) {
$str = addslashes($str);
return $str;
}
function html_safe($str) {
$str = stripslashes($str);
return $str;
}
That's on my live server, I'm not sure if magic quotes is on there or I
forgot to update because my test server version look like:
function db_safe($str) {
// $str = addslashes($str);
$str = mysql_real_escape_string($str);
Anyways then there's code like this:
if (isset($_REQUEST["submit"])) {
$latin_name = html_safe($_REQUEST["latin_name"]);
if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] ==
"update")) {
$id = $_REQUEST["id"];
$latin_name=db_safe($latin_name);
and this is where it's chopping off text after the quote:
<form action=.......
<input type='text' size='57' name='latin_name' value="<?=$latin_name?>">
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
..oO(Paul Furman)
>mysql_real_escape_string() is apparently chopping off anything that follows a quote when I grab the data & put it in a form for editing.
It doesn't chop off anything, it's a bug in your output code.
>and this is where it's chopping off text after the quote:
<form action=....... <input type='text' size='57' name='latin_name' value="<?=$latin_name?>">
Two things:
* Don't rely on short open tags, use <?php echo ...?instead.
* Have a look at the generated HTML source code - it's all there, just
improperly escaped. When printing anything to an HTML page, use
htmlspecialchars() to escape those characters that have a special
meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
the manual for details. http://www.php.net/htmlspecialchars
Micha
Michael Fesser wrote:
.oO(Paul Furman)
>>mysql_real_escape_string() is apparently chopping off anything that follows a quote when I grab the data & put it in a form for editing.
It doesn't chop off anything, it's a bug in your output code.
>>and this is where it's chopping off text after the quote:
<form action=....... <input type='text' size='57' name='latin_name' value="<?=$latin_name?>">
Ah, thank you!!
The bad field was using single quotes:
value='<?=$common_name?>'>
The good field had double quotes:
value="<?=$common_name?>">
Two things:
* Don't rely on short open tags, use <?php echo ...?instead.
Yes, thanks, my code is quite a mess, partly due to collaboration. I
wondered why some were done in that fashion, now I know it's not good
practice.
* Have a look at the generated HTML source code - it's all there, just
improperly escaped. When printing anything to an HTML page, use
htmlspecialchars() to escape those characters that have a special
meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Michael Fesser wrote:
>When printing anything to an HTML page, use htmlspecialchars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().
Just a followup on the htmlspecialchars idea, I tried it & had to
disable it... if I used that, I'd need to be more selective than my
html_safe function because it disabled my ability to add content from
the admin interface with links & images. But thanks for mentioning it.
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Paul Furman wrote:
>Michael Fesser wrote:
>>When printing anything to an HTML page, use htmlspecialchars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchars idea, I tried it & had to
disable it... if I used that, I'd need to be more selective than my
html_safe function because it disabled my ability to add content from
the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
Paul Furman wrote:
>Paul Furman wrote:
>>Michael Fesser wrote:
When printing anything to an HTML page, use htmlspecialchars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details.
http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchars idea, I tried it & had to disable it... if I used that, I'd need to be more selective than my html_safe function because it disabled my ability to add content from the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.
Yes, agreed. My html_safe() function is being applied to anything that
leaves the mySQL database and anything entering gets the db_safe()
function applied. I don't really know why I'd need it except as a
catch-all at this point but good to know it exists if I encounter these
problems again and another handy way to display html code without being
interpreted by the browser.
--
Paul Furman Photography http://edgehill.net
Bay Natives Nursery http://www.baynatives.com
Paul Furman wrote:
Jerry Stuckle wrote:
>Paul Furman wrote:
>>Paul Furman wrote: Michael Fesser wrote:
When printing anything to an HTML page, use htmlspecialchars() to escape those characters that have a special meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See the manual for details. > http://www.php.net/htmlspecialchars
Thanks again, it sounds like I should run that in my html_safe() function along with stripslashes().
Just a followup on the htmlspecialchars idea, I tried it & had to disable it... if I used that, I'd need to be more selective than my html_safe function because it disabled my ability to add content from the admin interface with links & images. But thanks for mentioning it.
If it's affecting links and images, you aren't being selective enough!
Like any other function - call it if you need to. But it's not meant to be called for everything you're displaying.
Yes, agreed. My html_safe() function is being applied to anything that
leaves the mySQL database and anything entering gets the db_safe()
function applied. I don't really know why I'd need it except as a
catch-all at this point but good to know it exists if I encounter these
problems again and another handy way to display html code without being
interpreted by the browser.
Yep, but I just call mysql_real_escape_string() on the data as it is
being inserted into the database, i.e.
$result = mysql_query('INSERT INTO mytable VALUES (' .
mysql_real_escape_string($val) . ')');
Or if I'm going to display the data:
echo htmlspecialchars($val);
I don't change the variable itself. I might need it in it's "pure form"
again.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Michael G |
last post by:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?
I have read a number of archived posts plus I've read some of...
|
by: Marcus |
last post by:
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly...
|
by: frizzle |
last post by:
Hi groupies,
I have 2 small questions, which i really want to be sure about:
- does mysql_real_escape_string() prevent any kind of mysq-injection?
- can it put escaped quotes etc in the DB, or...
|
by: comp.lang.php |
last post by:
when trying to use the mysql_real_escape_string() function, the
following warning occurs:
First of all, the user is not 'web' trying to connect to the database,
secondly, what is...
|
by: zach |
last post by:
I created a comment form which will inserts the comments into a database
and displays them immediately. I want to make sure that its safe from
users inserting unwanted data into the database or...
|
by: redog6 |
last post by:
Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.
I obviously need to escape these characters -...
|
by: ndlarsen |
last post by:
Hello.
It's been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a...
|
by: thelma |
last post by:
My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn't
do anything more? ?
--thelma
|
by: roseple |
last post by:
Hi, can anyone please help me why I got this error every I uploaded files.
Error:
Here is the code on the said warning message:
# Gather all required data
$name =...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |