The14thGOD Posted October 1, 2009 Share Posted October 1, 2009 The data is put into the database just fine with slashes and everything I have a CMS and this preview function I built, there are 3 options: Publish, Save Draft, and Undo. There are 2 tables, preview, and website. When I select Undo, it will take the website data and dump it into the preview table. Vice versa for Publish. When this happens it takes out the '\'s. I don't THINK this will be a problem because when edited it will be put back in. But does anyone know why this is happening? Shouldn't it copy it directly into the db? here's the code so you can see I'm not doing anything that would strip slashes. Undo (publish is basically the same thing) <?php import_request_variables('pg'); include('connect.php'); include('urlpathback.php'); include('adminloggedin.php'); //Grab Info from databases $website_query = "SELECT * FROM website WHERE url='$_SESSION[theurl]' ";//$_SESSION['theurl'] is what the old url used to be from edit.php $website_result = mysql_query($website_query); $website_row = mysql_fetch_assoc($website_result); $preview_query = "SELECT * FROM preview WHERE url='$_GET[url]' ";//$_SESSION the new url which is stored in preview's db $preview_result = mysql_query($preview_query); $preview_row = mysql_fetch_assoc($preview_result); $query2 = "UPDATE preview SET pageid='$website_row[pageid]',navtitle='$website_row[navtitle]',title='$website_row[title]',keywords='$website_row[keywords]',description='$website_row[description]',url='$website_row[url]',headline='$website_row[headline]',body='$website_row[body]',status='enabled' WHERE url='$_SESSION[theurl]' "; mysql_query($query2); unset($_SESSION['editdraft'],$_SESSION['oldnavtitle'],$_SESSION['oldparent'],$_SESSION['status'],$_SESSION['weight'],$_SESSION['parent'],$_SESSION['theurl'],$_SESSION['draft'],$_SESSION['uid'],$_SESSION['editurl']); header("Location: $url"); exit(0); ?> Thanks for any and all help. Quote Link to comment Share on other sites More sharing options...
lemmin Posted October 1, 2009 Share Posted October 1, 2009 They are probably parsed as an escape character. You may need to escape them. Can you post a sample string with the before and afters of the different situations and expected outcomes? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 1, 2009 Share Posted October 1, 2009 The actual \ characters are NOT inserted into the database. They are only present in the query string so that the special characters don't break the syntax of the query. When the query string is parsed, the character they were escaping is treated as the literal character and the \'s are eliminated. If you see the \ characters in the actual database, it means that your data was escaped twice. Quote Link to comment Share on other sites More sharing options...
The14thGOD Posted October 1, 2009 Author Share Posted October 1, 2009 hmm, i was taught to put addslashes($var) on anything that could potentially have escapable characters. thats what ive been doing, does PHP 5 now do this automatically or something then? cause when I do addslashes() i see the \ in the database like I'd expect. It's just when the above code is ran that character is no longer there (which I'm assuming is because of PFMaBiSmAd's post). Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 1, 2009 Share Posted October 1, 2009 If you have successfully inserted data that did contain special characters, like a single-quote, and you are not specifically escaping the data in your code, then it is likely that the magic_quotes_gpc setting is ON and php has been escaping your data for you. However, magic_quotes_gpc does not escape all the special characters that can break a query, so if it is on, you actually need to strip the slashes and then use mysql_real_escape_string() on the data. magic_quotes_gpc has been completely removed in php6, so it will be necessary for your code to use mysql_real_escape_string() on string data in order to prevent special characters from breaking the query syntax and to help prevent sql injection. Quote Link to comment Share on other sites More sharing options...
The14thGOD Posted October 1, 2009 Author Share Posted October 1, 2009 I just looked and it is turned on. So my data is being escaped twice then? That's why it's in the DB. So just to make sure I have this straight, if I were to switch to mysql_real_escape_string() (could they make that longer..geez) I can just disable the magic_quotes_gpc and remove addslashes/stripslashes all together from my scripts right? I don't think I need to worry about sql injection (the site is just reading (the mod_rewrite is very restrictive on what it 'accepts' ) and the editor section has a pretty secure login (im not security expert)). Again, thanks for the help =) Justin Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 1, 2009 Share Posted October 1, 2009 If the magic_quotes settings are off, all you need to do is mysql_real_escape_string() on string data. There would be no addslashes/stripslashes... Quote Link to comment Share on other sites More sharing options...
The14thGOD Posted October 1, 2009 Author Share Posted October 1, 2009 thanks! i wish i could dive deeper into PHP however I'm the only developer and get thrown on a lot of html/css/flash jobs :/ Justin Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.