str_replace problem

[ShaolinF]

Hi Guys

 

I am trying to remove an apostrophe from a string but the code I am using doesn't work. See below:

 

str_replace("'", "", $_SESSION['L_NAME0']);

[PFMaBiSmAd]

str_replace() returns the result. Are you assigning that value to something?

[oni-kun]

Maybe you should look at str_replace and see what you're doing wrong. Are you trying to just replace a comma? Or a ',' (quotations) as well?

 

str_replace(',' ,  "" , $_SESSION['L_NAME0']);

 

As you're using a $_SESSION variable, why are you removing commas? Are you wanting to explode ?

[ShaolinF]

I want to remove an apostrophe (this>> ' ) from the string, so str_replace looked like the most reasionable choice since that is exactly what it does. I have looked at the documentation and it should work but it isn't.

[.josh]

str_replace() returns the result. Are you assigning that value to something?

[PFMaBiSmAd]

The str_replace() you posted does what you are asking, provided you use it like I stated (edit: and CV just re-quoted for your convenience since you apparently did not see or read the post) -

<?php
$_SESSION['L_NAME0'] = "O'Malley";
$_SESSION['L_NAME0'] = str_replace("'", "", $_SESSION['L_NAME0']);
echo $_SESSION['L_NAME0'];
?>

 

Are you sure you want to remove the single-quotes or do you actually need to escape them? What overall problem are you having that you are trying to solve?

[ShaolinF]

The single quote is at the end of the string and str_replace don't work, it'll work if the quote is anywhere else in the string though which is weird. The reason I want to remove the quote is because I am trying to send the data over to the paypal server but the quote causes the paypal server to return an error.

[PFMaBiSmAd]

You will need to be way more specific about what you are trying that does not work, because the following DOES work with the single-quote at the end of the string -

 

<?php
$_SESSION['L_NAME0'] = "OMalleys'";
$_SESSION['L_NAME0'] = str_replace("'", "", $_SESSION['L_NAME0']);
echo $_SESSION['L_NAME0'];
?>

[ShaolinF]

Ahh, its still not working. Ok see below:

 

$row = model->get_course($id); //get data from DB..
$_SESSION['L_NAME0'] = str_replace("'", "", stripslashes($row->name));
echo $_SESSION['L_NAME0'];

// should print: DUO 2010
// Actual print: DUO 2010'

[PFMaBiSmAd]

What does the following show (put before the str_replace() line of code) -

 

var_dump($row->name);

[ShaolinF]

string(10) "DUO 2010\'"

[PFMaBiSmAd]

It's either not a single-quote or the first parameter in the str_replace() "'" is not a single-quote.

 

What does this show, when put right after the line that sets $row -

<?php
$arr = str_split($row->name);
foreach($arr as $char){
echo ord($char),'.';
}
?>

 

Also, something unusual is going on with your database, because the \ escape character should not be present in the data in the database (though it could be in the data retrieved if magic_quotes_runtime is ON.)

[ShaolinF]

Output: 68.85.79.32.50.48.49.48.39.

 

As fo the backslash, magic quotes is off. I am building my app on wordpress.. But I thought the backslashes for single quotes is a normal thing to prevent injections ?

[.josh]

what about in your editor? in your code, do you have an actual ' in your str_replace or did your editor make one of those funky single quotes?

[ShaolinF]

From what I can see its a normal quote.. Or maybe the DB/wordpress has been tinkering with the single quotes ?

[PFMaBiSmAd]

The 39 value is a single-quote. That means that the actual data is correct. That either means that your str_replace() code does not have a single quote in the first paramter (are you using an English keyboard and an ASCII programming editor and type the ' rather than copy/pasted it from somewhere) or your actual code after the str_replace() is adding a single quote.

 

Here is the escape \ story one more time -

 

The \ escape characters must be present in the query string so that special SQL characters, such as a single-quote, don't break the syntax of the query (or allow sql injection.) The \ characters are NOT inserted into the database. If you have \ characters in the database it means that your data was escaped twice. This usually happens if magic_quotes_gpc was ON at the time the data was inserted and your code also escaped the data. If the \ characters are not present in the database (which is correct) but they are present when the data is retrieved by php, that means that magic_quotes_runtime is on and it should simply be turned off in your script.

[ShaolinF]

Ah, Ok - I ran the query again on a diff value which also has the single quote at the end of it and this is what it returned:

 

68.97.119.114.97.104.32.68.85.79.32.50.48.49.48.92.38.35.51.57.59.

 

What does 59 translate to ?

 

As for magic quotes, I checked the php.ini file and this is what I found:

magic_quotes_gpc = Off

[PFMaBiSmAd]

I checked the php.ini file

Always use a phpinfo() statement to check what settings are in case the php.ini that you are looking at is not the one that php is using.

 

59 is a ; (semi-colon) unless that is part of a multi-byte encoded character. It would help if you posted the string that corresponds to.

[ShaolinF]

Ok, I will do that.

 

Below is the string/number sequence:

 

Event DUO 2010\'

69.118.101.110.116.32.68.85.79.32.50.48.49.48.92.38.35.51.57.59.

 

[.josh]

okay well you can clearly (hopefully) count that there are more numbers than there are in that string...if you use chr() instead of ord() or if you rightclick > view source you will see that your string contains

'

instead of '  so at some point in time in your script, it's being encoded.

[ShaolinF]

darn wordpress. It looks like the WP db class is getting upto no good again! Thanks for pointing that out.