Yesideez Posted December 23, 2008 Share Posted December 23, 2008 I've turned off magic quotes using my .htaccess file now whenever I add anything to the database nothing is quoted. I've tried... if (mysql_query("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('".ncode($strName)."','".ncode($strFrom)."','".ncode($strEmail)."','".ncode($txtMessage)."','".ncode($txtWebMessage)."','".getIP()."','".time()."')")) { and this... if (mysql_query(sprintf("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('%s','%s','%s','%s','%s','%s','%d')",ncode($strName),ncode($strFrom),ncode($strEmail),ncode($txtMessage),ncode($txtWebMessage),getIP(),time()))) { My "ncode()" function is this: function ncode($str) { return mysql_real_escape_string($str); } I've tested with "it's" and no matter what I do I can't get "it\s" added into the database. Even before I switched them off in the .htaccess file it was doing this. Any suggestions? Quote Link to comment Share on other sites More sharing options...
ranjuvs Posted December 23, 2008 Share Posted December 23, 2008 U can get that working with function ncode($str) { return $str; } but inorder to make your data safe, escaping is recommended. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 I think you're missing my point - I *want* everything escaped properly which is why I've turned off the blasted magic quotes evilness and trying to use the proper function to do it - problem is - it doesn't seem to be working. The only time it gets escaped is when I echo stuff straight to the browser. Use it anywhere else it doesn't work. ...and I can't figure out why not! Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 Anyone able to shed any light on this please? Quote Link to comment Share on other sites More sharing options...
PravinS Posted December 23, 2008 Share Posted December 23, 2008 May this function will help you function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 get_magic_quotes_gpc() will always return false as I've switched it off. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 Anyone please? Quote Link to comment Share on other sites More sharing options...
redarrow Posted December 23, 2008 Share Posted December 23, 2008 you can only use example..... $name=mysql_real_escape_string($_POST['name']); then. Dose it still not work. also try this $name=addslashes(mysql_real_escape_string($_POST['name'])); Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 My function works fine when I just echo it to the browser: echo ncode($strName); I get the escaped text but as soon as I try and add it to my database the slashes disappear :/ Quote Link to comment Share on other sites More sharing options...
redarrow Posted December 23, 2008 Share Posted December 23, 2008 are u saying this doesent work. function ncode($str) { return addslashes(mysql_real_escape_string($str)); } Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 When adding data to the database - yes. When echo'ing straight to the browser - no. Quote Link to comment Share on other sites More sharing options...
redarrow Posted December 23, 2008 Share Posted December 23, 2008 have you got addslashes turned on or off in php.ini. if off turn on then. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 I tried it with it turned on - does exactly the same - no slashes added when I add it to the database. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 I'll modify the script to dump some test data to the browser so you can see then I'll PM you a link. I'd rather this not be made public at this time. Quote Link to comment Share on other sites More sharing options...
redarrow Posted December 23, 2008 Share Posted December 23, 2008 understand ok Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 I'm about to PM you the link. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 23, 2008 Share Posted December 23, 2008 When you turned off magic_quotes_gpc, it became necessary for your code to take over the responsibility of escaping the data, i.e. using the mysql_real_escape_string() function on string data. The function that pbs posted will work no matter what your magic_quotes_gpc setting is and you should use something like his function because you won't always be on a server where you will have the ability to change the magic_quotes_gpc setting. I tried it with it turned on - does exactly the same - no slashes added when I add it to the database. The escape characters \ are not inserted into the database. When the query is executed, escaped characters are parsed and are converted to their literal un-escaped character. \' becomes ' in the database. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 How can I get this working then? Everything I'm trying is not working. If I enter It\'s it goes in as It\'s. Here's the sample output: Straight from $_POST: It's With my ncode() function: It\'s With addslashes(): It\'s Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 23, 2008 Share Posted December 23, 2008 You would need to post the code you are using and if you are not using the code that pbs posted, you need to re-confirm what the current setting of magic_quotes_gpc is. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 Just had a thought... Could this be working properly then - still protecting against MySQL injection even though the database is removing the slashes? magic_quotes_gpc is definitely off and I've done this in my .htaccess file with: php_flag register_globals off php_flag magic_quotes_gpc off Read the $_POST value: $strName=$_POST['name']; Save in the database: if (mysql_query(sprintf("INSERT INTO `guestbook` (`name`,`from`,`email`,`message`,`website`,`ip`,`added`) VALUES ('%s','%s','%s','%s','%s','%s','%d')",ncode($strName),ncode($strFrom),ncode($strEmail),ncode($txtMessage),ncode($txtWebMessage),getIP(),time()))) { Contents of ncode(): function ncode($str) { return mysql_real_escape_string($str); } Quote Link to comment Share on other sites More sharing options...
premiso Posted December 23, 2008 Share Posted December 23, 2008 Yep that should protect you. You are escaping the strings, I see no reason why that would not work. The database removes the slashes because it only "Escapes" them. This is nice cause when you pull the data out of the database to display it, you do not have to stripslahes on that data. It is sort of like when you echo something onto the screen like this: echo "Hello world \"quote\""; That will display Hello World "quote" because the slashes are just escaping the character to prevent an error. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 Thanks! It was causing me a massive headache. I remember reading that PHP 6 has removed the magic quotes thing because of the amount of problems it caused. Quote Link to comment Share on other sites More sharing options...
premiso Posted December 23, 2008 Share Posted December 23, 2008 Thanks! It was causing me a massive headache. I remember reading that PHP 6 has removed the magic quotes thing because of the amount of problems it caused. The issues it caused could have been easily avoided by using stripslashes then the mysql_real_escape function if magic quotes were on. But yes, it promoted bad coding and alot of people found it hard to understand exactly what was happening. And most people thought, like you, that slashes should be in the database escaping the data, when in actuality they shouldn't. But it is a good to start coding for the future =) If, however, you are making a distribution script. I would make your function like this: <?php function myEscape($string) { return (get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string); } That way it will not matter if it is on or not on their server, everything gets escaped properly. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted December 23, 2008 Author Share Posted December 23, 2008 Distribution - I'll be sure to keep that in mind Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.