radalin Posted August 7, 2006 Share Posted August 7, 2006 Hi,I'm using php5 and apache 2 and postgresql 8.1 as database and pear's mdb2 package. I'm using escape method of mdb2. But the intresting thing is that silencer "\" character exists more than required. I mean if I write " your's " it becomes " your\\''s " and it's entered to the db as " your\'s ". If I do not use escape method and everything is fine! Yes really fine! I get the data from a form via POST method. When I try to echo the data coming from POST it's as " your\'s ". The single quote is already disabled. Well I'm curious why is this happening!! I do not think it's really possible so I'm probably missing something at somewhere. I cannot post my code sadly because it's not ordered and it requires manu functions. But the thing is even if I echo the data coming from the Post the single quote is already disabled! I'm very curious why this happens. Maybe this is because of something I dont kno yet.Thank you for your time. Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/ Share on other sites More sharing options...
Orio Posted August 7, 2006 Share Posted August 7, 2006 That's probbly because you've got magic_quotes on in your php.ini.Run this:echo get_magic_quotes_gpc();If it returns TRUE or 1, that means strings get automaticly escaped.If you want to escape strings for you database, use this function:[code]<?phpfunction sql_quote($value) { if(get_magic_quotes_gpc()){$value = stripslashes($value);} if(function_exists("mysql_real_escape_string")){$value = mysql_real_escape_string($value);} else{$value = addslashes($value);} return $value;}?>[/code]Orio. Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/#findComment-70640 Share on other sites More sharing options...
radalin Posted August 7, 2006 Author Share Posted August 7, 2006 Hmmm yeah you were right it was enabled.But I'm using PostgreSQL should I have to use mysql_real_escape_string or it's postgresql equivalent? Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/#findComment-70643 Share on other sites More sharing options...
Orio Posted August 7, 2006 Share Posted August 7, 2006 I have no idea...But I think it'll be ok to use on any SQL string.From php.net:[quote]mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.[/quote]Orio. Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/#findComment-70652 Share on other sites More sharing options...
Daniel0 Posted August 7, 2006 Share Posted August 7, 2006 You would use [url=http://php.net/pg_escape_string]pg_escape_string[/url] instead. Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/#findComment-70655 Share on other sites More sharing options...
radalin Posted August 7, 2006 Author Share Posted August 7, 2006 Thanks for the info.MDB2's escape method was using that function. When I disabled the magic_quotes, everytng is ok now. Link to comment https://forums.phpfreaks.com/topic/16794-sql-injection-protection/#findComment-70658 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.