Jump to content

Recommended Posts

The data is put into the database just fine with slashes and everything

I have a CMS and this preview function I built, there are 3 options: Publish, Save Draft, and Undo.

There are 2 tables, preview, and website.

 

When I select Undo, it will take the website data and dump it into the preview table. Vice versa for Publish.

 

When this happens it takes out the '\'s. I don't THINK this will be a problem because when edited it will be put back in. But does anyone know why this is happening? Shouldn't it copy it directly into the db?

 

here's the code so you can see I'm not doing anything that would strip slashes.

 

Undo (publish is basically the same thing)

<?php
import_request_variables('pg');	
include('connect.php');
include('urlpathback.php');
include('adminloggedin.php');
//Grab Info from databases
$website_query = "SELECT * FROM website WHERE url='$_SESSION[theurl]' ";//$_SESSION['theurl'] is what the old url used to be from edit.php
$website_result = mysql_query($website_query);
$website_row = mysql_fetch_assoc($website_result);
$preview_query = "SELECT * FROM preview WHERE url='$_GET[url]' ";//$_SESSION the new url which is stored in preview's db
$preview_result = mysql_query($preview_query);
$preview_row = mysql_fetch_assoc($preview_result);

$query2 = "UPDATE preview SET pageid='$website_row[pageid]',navtitle='$website_row[navtitle]',title='$website_row[title]',keywords='$website_row[keywords]',description='$website_row[description]',url='$website_row[url]',headline='$website_row[headline]',body='$website_row[body]',status='enabled' WHERE url='$_SESSION[theurl]' ";
mysql_query($query2);
unset($_SESSION['editdraft'],$_SESSION['oldnavtitle'],$_SESSION['oldparent'],$_SESSION['status'],$_SESSION['weight'],$_SESSION['parent'],$_SESSION['theurl'],$_SESSION['draft'],$_SESSION['uid'],$_SESSION['editurl']);
header("Location: $url");
exit(0);
?>

 

Thanks for any and all help.

The actual \ characters are NOT inserted into the database. They are only present in the query string so that the special characters don't break the syntax of the query. When the query string is parsed, the character they were escaping is treated as the literal character and the \'s are eliminated.

 

If you see the \ characters in the actual database, it means that your data was escaped twice.

hmm, i was taught to put addslashes($var) on anything that could potentially have escapable characters. thats what ive been doing, does PHP 5 now do this automatically or something then? cause when I do addslashes() i see the \ in the database like I'd expect. It's just when the above code is ran that character is no longer there (which I'm assuming is because of PFMaBiSmAd's post).

If you have successfully inserted data that did contain special characters, like a single-quote, and you are not specifically escaping the data in your code, then it is likely that the magic_quotes_gpc setting is ON and php has been escaping your data for you.

 

However, magic_quotes_gpc does not escape all the special characters that can break a query, so if it is on, you actually need to strip the slashes and then use mysql_real_escape_string() on the data. magic_quotes_gpc has been completely removed in php6, so it will be necessary for your code to use mysql_real_escape_string() on string data in order to prevent special characters from breaking the query syntax and to help prevent sql injection.

I just looked and it is turned on. So my data is being escaped twice then? That's why it's in the DB.

 

So just to make sure I have this straight, if I were to switch to mysql_real_escape_string() (could they make that longer..geez) I can just disable the magic_quotes_gpc and remove addslashes/stripslashes all together from my scripts right?

 

I don't think I need to worry about sql injection (the site is just reading (the mod_rewrite is very restrictive on what it 'accepts' ) and the editor section has a pretty secure login (im not security expert)).

 

Again, thanks for the help =)

 

Justin

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.