Jump to content

Slashes being put in front of apostrophes SOMETIMES?!?!


galvin

Recommended Posts

This is driving me nuts and I'm hoping someone can help me figure it out.  I have a site with PHP/MySQL.  I have a form where people can submit a comment.  This comment then goes into a MySQL database and gets displayed back on another page of the website.

 

NOTE:  I put this question in the PHP Forum because I think the problem is happening somewhere BEFORE the info gets entered into MySQL.  But of course, I could be wrong.

 

The problem is that some of the comments are coming in with a "\" in front of apostropes, but NOT ALL OF THEM (which is really confusing me).

 

For example, someone entered this comment which shows in the MySQL database exactly like this...

 

I predict Lena's gonna win a lifetime Grammy.  It's long overdue.

 

Someone else entered a comment which shows in the MySQL database exactly like this...

 

can\\\'t wait to see first pics of the next addition.  Congrats!

 

They both have apostrophes in them, but only that second one added those slashes (and 3 of them for some reason). 

 

There are more instances of this where some comments have the slashes before the apostrophe and some don't.  Anyone know what might be causing this seemingly random insertion of slashes?

Link to comment
Share on other sites

Here is the form element for the comment...

                     <tr>
			<td class="firstcol">
			Comment/Congratulations/Well Wishes (optional):</td><td colspan=3><textarea class="textarea" name="limitedtextarea"  rows="3" cols="70" onKeyDown="limitText(this.form.limitedtextarea,this.form.countdown,100);" 
			onKeyUp="limitText(this.form.limitedtextarea,this.form.countdown,100);" /><?php if (isset($_SESSION['comment'])) { echo $_SESSION['comment']; }?></textarea><br /><span class="countdowntext">(Maximum characters: 100) </span><span class="countdowntext"> You have <input readonly type="text" class="countdownfield" name="countdown" size="3" value="100"> characters left.</span>
			</td>
			</tr>

 

Here is the code that takes that value and inserts it...

$comment =  trim(mysql_prep($_POST['limitedtextarea']));
$_SESSION['comment'] = $comment;
$sql = "INSERT into comments ( comment) values (''$comment')";

 

NOTE:  The reason I set the SESSION variable is in case they miss a field in the form and get sent back to the form page (the form page and validating pages are separate), the SESSION variable will keep the comment they already typed in the textarea so they don't have to retype it.  Now that I mention this, I wonder if somehow the slashes are being added ONLY when users get sent back to the form page because they missed another field.  That would explain why it happens sometimes and not others.  But it still doesn't tell me why it's adding the slashes in the first place.

Link to comment
Share on other sites

Edit: LOL, same suggestion ^^^

 

Don't unconditionally use stripslashes() on your data. That can prevent actual \ characters from being used in the data.

 

First, find out why your data is being escaped extra times and only some times and address the actual problem.

Link to comment
Share on other sites

As to why some quotes are not escaped at all - they are probably not straight quotes (someone probably copy/pasted text that contained curly/smart quotes) and wouldn't break the sql syntax and the various escape functions (built-in and user called) don't operate on them.

 

As to why some quotes are escaped more than once - php thought it was a good idea to 'help' make code safe against sql injection instead of have someone spend 3 minutes learning how to properly escape data. See the excuse at this ridiculous link - http://www.php.net/manual/en/security.magicquotes.why.php

Link to comment
Share on other sites

Sorry, here is the relevant mysql_prep($value) code...

 

function mysql_prep($value) {
	$magic_quotes_active = get_magic_quotes_gpc();
	$new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0
	if($new_enough_php) { //PHP v4.3.0 or higher
		//undo any magic quote effects so mysql_real_escape_string can do the work
		if($magic_quotes_active) { $value = stripslashes($value) ;}
		$value = mysql_real_escape_string($value);
	} else { //before php v4.3.0
		// if magic quotes aren;t already on then add slashes manually
		if(!magic_quotes_active) { $value = addslashes($value); }
		// if magic quotes are active, then the slashes already exist
	}
	return $value;
}
function redirect_to($location = NULL ) {
	if($location != NULL) {
		header("Location: {$location}");
		exit;
	}
}

 

Link to comment
Share on other sites

I believe I know what's going on here. The function appears to be written properly. What is probably happening is that function is being called more than once. The function should only be applied just prior to inserting the data in the database. There's no need to use it before redisplaying the data to the user for correction; that should be done with the raw $_POST data. Let us know if this doesn't make sense.

 

Right way:

if( $_POST['name'] === 'some_preset_value') {
     $clean_name = mysql_prep($_POST['name'];
     // RUN THE INSERT QUERY USING $clean_name VALUE
}
?>
<input type="text" name="name" value="<?php echo !empty($_POST['name']) ? $_POST['name'] : ''; ?>"><!-- use raw POST data for field's value -->

 

Wrong way:

if( $_POST['name'] === 'some_preset_value') {
     $clean_name = mysql_prep($_POST['name'];
     // RUN THE INSERT QUERY USING $clean_name VALUE
}
?>
<input type="text" name="name" value="<?php echo !empty($clean_name) ? $clean_name : ''; ?>"><!-- this will be escaped again when resubmitted, causing extra slashes to be added. -->

 

If the data that's been run through the function is used, it will have slashes in it when displayed, then with each subsequent pass through the function, like when passing it to the next page, more slashes will be added. When it finally gets inserted into the database, only one set of slashes is removed.

Link to comment
Share on other sites

You nailed it, Pikachu2000!  That's exactly what was happening.  I was running the comment through the mysql_prep and then storing that "prepped" text in a session variable and echoing that back.  So if the user kept missing fields on the form, it would keep getting run through multiple times.

 

I changed it to just store the actual POST value in the session variable and echo that back, and only run the mysql_prep code when everything is ready to be inserted (just like you said).

 

Another dumb newbie mistake I guess  :-\  But now I know :)

 

Thanks to everyone for your feedback! 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.