Jump to content

Recommended Posts

Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems

 

<?
if(isset($_POST['upload']))
{
        include 'dbconnection.php';
$ttitle = mysql_real_escape_string($_POST['ttitle']); 
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']); 
$query = "INSERT INTO test ( ttitle, ttitle2) ". 
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                    
echo "<br>File uploaded<br>";
}        
?> 

 

The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded.

 

From the server:

PHP.ini file: (ver 5.2.17)

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

 

Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site.

 

As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great....

 

thanks in advance

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/
Share on other sites

mysql_real_escape_string does not remove characters, it escapes them.

 

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322273
Share on other sites

What have you done, other than looking at the end result in the database table, to pin down exactly what your data is and if it is correct (without \ characters) at any point in the process?

 

What is your form. Is the data coming through a hidden field or is it being entered by the user or copy pasted by the user? Is the data supposed to have actual \ characters in it? What is the actual data you are dealing with and seeing when you look in the database table?

 

Also, how you are looking at the data in the database table, in case the display method is adding the escape characters to the output?

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322282
Share on other sites

With the initial example i used a standard form. And the user (well, me for the moment) adds it (not copy and paste)

 

What are escaping are the usual \' etc. What i see in the database via phpmyadmin is i.e.  bird\'s etc etc which, is based on other datbase records on other srevers incorrect..

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322297
Share on other sites

Ive done a little test using:

<?php
if(get_magic_quotes_gpc())
echo "Magic quotes enabled";
else
echo "no magic quotes detected";
?>

 

..and it came back no magic quotes detected.

 

For the actual page, which is at its bare bones...

 

<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>


<?
if(isset($_POST['upload']))
{
    include 'config4.php';
$ttitle = mysql_real_escape_string($_POST["ttitle"]); 
$ttitle2 = mysql_real_escape_string($_POST["ttitle2"]); 




$query = "INSERT INTO test ( ttitle, ttitle2) ". 
		 "VALUES ('$ttitle', '$ttitle2' )";
             
            


    mysql_query($query) or die('Error, query failed : ' . mysql_error());                    


    
    echo "<br>File uploaded<br>";
}		
?>
<form action="" method="post" enctype="multipart/form-data" name="uploadform" >
<div class="field">
    <label for="password">Title of image/link:</label>
     <input name='ttitle' type='text' class='input' id="ttitle" />
   

    
</div>

<div class="field">
    <label for="password">Title of image/link:</label>
     <input name='ttitle2' type='text' class='input' id="ttitle2" />
   

    
</div><input name="upload" type="submit" id="upload" value="upload">
</form>
</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322306
Share on other sites

OK then. So are you trying to insert data into the database that has slashes? mysql_real_escape_string() will escape any slashes and you will see them in the database. What is in config4.php? Are there any functions that are adding slashes?

 

Use the query in the example instead of the VALUES() statement i.e

 

<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
<body>
<?php
if(isset($_POST['upload']))
{
include('config4.php');
mysql_query("INSERT INTO test SET ttitle='".mysql_real_escape_string($_POST['ttitle'])."', ttitle2='".mysql_real_escape_string($_POST['ttitle2'])."'"); or die('Error, query failed : ' . mysql_error()); 
echo "<br />File uploaded<br />";
}		
?>
<form action="" method="post" enctype="multipart/form-data" name="uploadform">
<div class="field">
<label for="password">Title of image/link:</label>
<input name="ttitle" type="text" class="input" id="ttitle" />
</div>
<div class="field">
<label for="password">Title of image/link:</label>
<input name="ttitle2" type="text" class="input" id="ttitle2" />
</div>
<input name="upload" type="submit" id="upload" value="upload">
</form>
</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322320
Share on other sites

i changed your query to:

 

<?php
if(isset($_POST['upload']))
{
include('config4.php');

$query=("INSERT INTO test SET ttitle='".mysql_real_escape_string($_POST['ttitle'])."', 
ttitle2='".mysql_real_escape_string($_POST['ttitle2'])."'"); 

mysql_query($query) or die('Error, query failed : ' . mysql_error());                    


    
    echo "<br>File uploaded<br>";




}		
?>

 

 

 

...however in the database i get the old joe\'s again.. :(

 

For the config file i just have

 

 $mysql_link = mysql_connect('localhost', '*', '*'); 
mysql_select_db('*') or die('Could not select database'); 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322331
Share on other sites

neil.... i saw the Stackoverflow post last night....most reponses saying that magic quotes is turned on...

 

I tried Ryaner's post and i got this:

 

1: something-with'data_that;will`be|escaped :1

2: something-with'data_that;will`be|escaped :2

3: something-with\'data_that;will`be|escaped :3

4: something-with\'data_that;will`be|escaped :4

 

...but i dont how to interpretate it :)  or use interpret correctly :)

 

 

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322350
Share on other sites

3: something-with\'data_that;will`be|escaped

This is correct. mysql_real_escape_string() is escaping the data as you can see. The problem, is that somehow the data is being double escaped so you are ending up with \ in your table i.e.

 

something-with\\'data_that

 

This is the behaviour you would expect with magic_quotes. I would contact your host. Try using the following in a .htaccess file:

 

php_flag magic_quotes_gpc off

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322355
Share on other sites

ok, now ive gone a bit over the top, for something that shouldnt be a problem...

 

<?php





if(isset($_POST['upload']))
{
include('config4.php');


function strip_mq_gpc($arg) {
  if (get_magic_quotes_gpc()) {
    return stripslashes($arg);
  } else {
    return $arg;
  }
} 
$ttitle = mysql_real_escape_string (strip_mq_gpc ($_POST['ttitle'])); 
$ttitle2 = mysql_real_escape_string (strip_mq_gpc ($_POST['ttitle2'])); 


$query = "INSERT INTO test ( ttitle, ttitle2) ". 
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                    
echo "<br>File uploaded<br>";
}        
?> 

 

...and this adds the fields to the database without slashes....BUT what does this mean...that the php.ini file or the actual host is lying to me ?

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322364
Share on other sites

When you previously tested the get_magic_quotes_gpc() value in a script, was that .php file in the same folder where you are running your actual script? I'm thinking you have one or more local php.ini and one of them, in a folder with your actual script, is turning on magic_quotes_gpc. Likewise, has the script with the phpinfo() statement in it being run in the same folder where your actual php script is at?

 

P.S. you can only put php settings in a .htaccess file when php is running as an Apache Module. It's a server error otherwise, because the php_flag command is not recognized.

Link to comment
https://forums.phpfreaks.com/topic/257976-escape-string/#findComment-1322368
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.