galvin Posted January 1, 2011 Share Posted January 1, 2011 This is driving me nuts and I'm hoping someone can help me figure it out. I have a site with PHP/MySQL. I have a form where people can submit a comment. This comment then goes into a MySQL database and gets displayed back on another page of the website. NOTE: I put this question in the PHP Forum because I think the problem is happening somewhere BEFORE the info gets entered into MySQL. But of course, I could be wrong. The problem is that some of the comments are coming in with a "\" in front of apostropes, but NOT ALL OF THEM (which is really confusing me). For example, someone entered this comment which shows in the MySQL database exactly like this... I predict Lena's gonna win a lifetime Grammy. It's long overdue. Someone else entered a comment which shows in the MySQL database exactly like this... can\\\'t wait to see first pics of the next addition. Congrats! They both have apostrophes in them, but only that second one added those slashes (and 3 of them for some reason). There are more instances of this where some comments have the slashes before the apostrophe and some don't. Anyone know what might be causing this seemingly random insertion of slashes? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 1, 2011 Share Posted January 1, 2011 Post the relevant code that does the inserting. Quote Link to comment Share on other sites More sharing options...
galvin Posted January 1, 2011 Author Share Posted January 1, 2011 Here is the form element for the comment... <tr> <td class="firstcol"> Comment/Congratulations/Well Wishes (optional):</td><td colspan=3><textarea class="textarea" name="limitedtextarea" rows="3" cols="70" onKeyDown="limitText(this.form.limitedtextarea,this.form.countdown,100);" onKeyUp="limitText(this.form.limitedtextarea,this.form.countdown,100);" /><?php if (isset($_SESSION['comment'])) { echo $_SESSION['comment']; }?></textarea><br /><span class="countdowntext">(Maximum characters: 100) </span><span class="countdowntext"> You have <input readonly type="text" class="countdownfield" name="countdown" size="3" value="100"> characters left.</span> </td> </tr> Here is the code that takes that value and inserts it... $comment = trim(mysql_prep($_POST['limitedtextarea'])); $_SESSION['comment'] = $comment; $sql = "INSERT into comments ( comment) values (''$comment')"; NOTE: The reason I set the SESSION variable is in case they miss a field in the form and get sent back to the form page (the form page and validating pages are separate), the SESSION variable will keep the comment they already typed in the textarea so they don't have to retype it. Now that I mention this, I wonder if somehow the slashes are being added ONLY when users get sent back to the form page because they missed another field. That would explain why it happens sometimes and not others. But it still doesn't tell me why it's adding the slashes in the first place. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 1, 2011 Share Posted January 1, 2011 Your user function - mysql_prep() is also relevant code. Quote Link to comment Share on other sites More sharing options...
spaceman12 Posted January 1, 2011 Share Posted January 1, 2011 use stripslashes() before $_POST Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 1, 2011 Share Posted January 1, 2011 It would actually be better to figure out what the root cause is and address it, rather than to just start arbitrarily applying stripslashes(). Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 1, 2011 Share Posted January 1, 2011 Edit: LOL, same suggestion ^^^ Don't unconditionally use stripslashes() on your data. That can prevent actual \ characters from being used in the data. First, find out why your data is being escaped extra times and only some times and address the actual problem. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 1, 2011 Share Posted January 1, 2011 As to why some quotes are not escaped at all - they are probably not straight quotes (someone probably copy/pasted text that contained curly/smart quotes) and wouldn't break the sql syntax and the various escape functions (built-in and user called) don't operate on them. As to why some quotes are escaped more than once - php thought it was a good idea to 'help' make code safe against sql injection instead of have someone spend 3 minutes learning how to properly escape data. See the excuse at this ridiculous link - http://www.php.net/manual/en/security.magicquotes.why.php Quote Link to comment Share on other sites More sharing options...
spaceman12 Posted January 1, 2011 Share Posted January 1, 2011 <?php if(get_magic_quotes_gpc()) echo "Magic quotes enabled"; else echo "no magic quotes detected"; ?> If you get displayed Magic quotes enabled, use stripslashes($_POSTt['variable']) for each $_POST Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 1, 2011 Share Posted January 1, 2011 It would actually be better to figure out what the root cause is and address it, rather than to just start arbitrarily applying stripslashes(). Quote Link to comment Share on other sites More sharing options...
galvin Posted January 1, 2011 Author Share Posted January 1, 2011 Sorry, here is the relevant mysql_prep($value) code... function mysql_prep($value) { $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0 if($new_enough_php) { //PHP v4.3.0 or higher //undo any magic quote effects so mysql_real_escape_string can do the work if($magic_quotes_active) { $value = stripslashes($value) ;} $value = mysql_real_escape_string($value); } else { //before php v4.3.0 // if magic quotes aren;t already on then add slashes manually if(!magic_quotes_active) { $value = addslashes($value); } // if magic quotes are active, then the slashes already exist } return $value; } function redirect_to($location = NULL ) { if($location != NULL) { header("Location: {$location}"); exit; } } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 1, 2011 Share Posted January 1, 2011 I believe I know what's going on here. The function appears to be written properly. What is probably happening is that function is being called more than once. The function should only be applied just prior to inserting the data in the database. There's no need to use it before redisplaying the data to the user for correction; that should be done with the raw $_POST data. Let us know if this doesn't make sense. Right way: if( $_POST['name'] === 'some_preset_value') { $clean_name = mysql_prep($_POST['name']; // RUN THE INSERT QUERY USING $clean_name VALUE } ?> <input type="text" name="name" value="<?php echo !empty($_POST['name']) ? $_POST['name'] : ''; ?>"><!-- use raw POST data for field's value --> Wrong way: if( $_POST['name'] === 'some_preset_value') { $clean_name = mysql_prep($_POST['name']; // RUN THE INSERT QUERY USING $clean_name VALUE } ?> <input type="text" name="name" value="<?php echo !empty($clean_name) ? $clean_name : ''; ?>"><!-- this will be escaped again when resubmitted, causing extra slashes to be added. --> If the data that's been run through the function is used, it will have slashes in it when displayed, then with each subsequent pass through the function, like when passing it to the next page, more slashes will be added. When it finally gets inserted into the database, only one set of slashes is removed. Quote Link to comment Share on other sites More sharing options...
galvin Posted January 1, 2011 Author Share Posted January 1, 2011 You nailed it, Pikachu2000! That's exactly what was happening. I was running the comment through the mysql_prep and then storing that "prepped" text in a session variable and echoing that back. So if the user kept missing fields on the form, it would keep getting run through multiple times. I changed it to just store the actual POST value in the session variable and echo that back, and only run the mysql_prep code when everything is ready to be inserted (just like you said). Another dumb newbie mistake I guess :-\ But now I know Thanks to everyone for your feedback! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.