Escape String

[barney0o0]

Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems

 

<?
if(isset($_POST['upload']))
{
        include 'dbconnection.php';
$ttitle = mysql_real_escape_string($_POST['ttitle']); 
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']); 
$query = "INSERT INTO test ( ttitle, ttitle2) ". 
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                    
echo "<br>File uploaded<br>";
}        
?> 

 

The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded.

 

From the server:

PHP.ini file: (ver 5.2.17)

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

 

Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site.

 

As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great....

 

thanks in advance

[JonnoTheDev]

mysql_real_escape_string does not remove characters, it escapes them.

 

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

[PFMaBiSmAd]

What have you done, other than looking at the end result in the database table, to pin down exactly what your data is and if it is correct (without \ characters) at any point in the process?

 

What is your form. Is the data coming through a hidden field or is it being entered by the user or copy pasted by the user? Is the data supposed to have actual \ characters in it? What is the actual data you are dealing with and seeing when you look in the database table?

 

Also, how you are looking at the data in the database table, in case the display method is adding the escape characters to the output?

[barney0o0]

With the initial example i used a standard form. And the user (well, me for the moment) adds it (not copy and paste)

 

What are escaping are the usual \' etc. What i see in the database via phpmyadmin is i.e.  bird\'s etc etc which, is based on other datbase records on other srevers incorrect..

[JonnoTheDev]

Then magic_quotes is still active on that server even though you have stated that it is turned off or you have the addslashes() function in use somewhere in your script.

[barney0o0]

Ive done a little test using:

<?php
if(get_magic_quotes_gpc())
echo "Magic quotes enabled";
else
echo "no magic quotes detected";
?>

 

..and it came back no magic quotes detected.

 

For the actual page, which is at its bare bones...

 

<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>


<?
if(isset($_POST['upload']))
{
    include 'config4.php';
$ttitle = mysql_real_escape_string($_POST["ttitle"]); 
$ttitle2 = mysql_real_escape_string($_POST["ttitle2"]); 




$query = "INSERT INTO test ( ttitle, ttitle2) ". 
		 "VALUES ('$ttitle', '$ttitle2' )";
             
            


    mysql_query($query) or die('Error, query failed : ' . mysql_error());                    


    
    echo "<br>File uploaded<br>";
}		
?>
<form action="" method="post" enctype="multipart/form-data" name="uploadform" >
<div class="field">
    <label for="password">Title of image/link:</label>
     <input name='ttitle' type='text' class='input' id="ttitle" />
   

    
</div>

<div class="field">
    <label for="password">Title of image/link:</label>
     <input name='ttitle2' type='text' class='input' id="ttitle2" />
   

    
</div><input name="upload" type="submit" id="upload" value="upload">
</form>
</body>
</html>

[JonnoTheDev]

Run a simple test script (forget about the form for now).

 

<?php
mysql_query("INSERT INTO test SET ttitle='".mysql_real_escape_string("Joe's")."', ttitle2='".mysql_real_escape_string("Words")."'");
?>

 

Does this add slashes?

[barney0o0]

That has entered the data fine... i.e. Joes's (oops joe's)

[barney0o0]

So is my actual query incorrect?... ie. using single quotes, rather than double quotes...or is the structure wrong and i just cant see it.....

[JonnoTheDev]

OK then. So are you trying to insert data into the database that has slashes? mysql_real_escape_string() will escape any slashes and you will see them in the database. What is in config4.php? Are there any functions that are adding slashes?

 

Use the query in the example instead of the VALUES() statement i.e

 

<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
<body>
<?php
if(isset($_POST['upload']))
{
include('config4.php');
mysql_query("INSERT INTO test SET ttitle='".mysql_real_escape_string($_POST['ttitle'])."', ttitle2='".mysql_real_escape_string($_POST['ttitle2'])."'"); or die('Error, query failed : ' . mysql_error()); 
echo "<br />File uploaded<br />";
}		
?>
<form action="" method="post" enctype="multipart/form-data" name="uploadform">
<div class="field">
<label for="password">Title of image/link:</label>
<input name="ttitle" type="text" class="input" id="ttitle" />
</div>
<div class="field">
<label for="password">Title of image/link:</label>
<input name="ttitle2" type="text" class="input" id="ttitle2" />
</div>
<input name="upload" type="submit" id="upload" value="upload">
</form>
</body>
</html>

[barney0o0]

i get

 

Parse error: syntax error, unexpected T_LOGICAL_OR in

 

which is line:  mysql_query("INSERT INTO test SET ttitle='".mysql_real_escape_string($_POST['ttitle'])."', ttitle2='".

[barney0o0]

i changed your query to:

 

<?php
if(isset($_POST['upload']))
{
include('config4.php');

$query=("INSERT INTO test SET ttitle='".mysql_real_escape_string($_POST['ttitle'])."', 
ttitle2='".mysql_real_escape_string($_POST['ttitle2'])."'"); 

mysql_query($query) or die('Error, query failed : ' . mysql_error());                    


    
    echo "<br>File uploaded<br>";




}		
?>

 

 

 

...however in the database i get the old joe\'s again..

 

For the config file i just have

 

 $mysql_link = mysql_connect('localhost', '*', '*'); 
mysql_select_db('*') or die('Could not select database'); 

 

 

 

[JonnoTheDev]

http://stackoverflow.com/questions/173212/mysql-real-escape-string-leaving-slashes-in-mysql

[PFMaBiSmAd]

What does a phpinfo() statement show for the auto_prepend_file setting, in case someone (web host) is running a script to escape all external data?

 

 

[barney0o0]

What does a phpinfo() statement show for the auto_prepend_file setting, in case someone (web host) is running a script to escape all external data?

 

 

 

auto_prepend_file no value no value

[barney0o0]

neil.... i saw the Stackoverflow post last night....most reponses saying that magic quotes is turned on...

 

I tried Ryaner's post and i got this:

 

1: something-with'data_that;will`be|escaped :1

2: something-with'data_that;will`be|escaped :2

3: something-with\'data_that;will`be|escaped :3

4: something-with\'data_that;will`be|escaped :4

 

...but i dont how to interpretate it   or use interpret correctly

 

 

[JonnoTheDev]

3: something-with\'data_that;will`be|escaped

This is correct. mysql_real_escape_string() is escaping the data as you can see. The problem, is that somehow the data is being double escaped so you are ending up with \ in your table i.e.

 

something-with\\'data_that

 

This is the behaviour you would expect with magic_quotes. I would contact your host. Try using the following in a .htaccess file:

 

php_flag magic_quotes_gpc off

[barney0o0]

ive emptied my present htaccess file (as im usinh rewrites for seo friendly links) , and added

 

php_flag magic_quotes_gpc off

 

but now i get a Internal Server error  :'(

 

 

[barney0o0]

ok, now ive gone a bit over the top, for something that shouldnt be a problem...

 

<?php





if(isset($_POST['upload']))
{
include('config4.php');


function strip_mq_gpc($arg) {
  if (get_magic_quotes_gpc()) {
    return stripslashes($arg);
  } else {
    return $arg;
  }
} 
$ttitle = mysql_real_escape_string (strip_mq_gpc ($_POST['ttitle'])); 
$ttitle2 = mysql_real_escape_string (strip_mq_gpc ($_POST['ttitle2'])); 


$query = "INSERT INTO test ( ttitle, ttitle2) ". 
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                    
echo "<br>File uploaded<br>";
}        
?> 

 

...and this adds the fields to the database without slashes....BUT what does this mean...that the php.ini file or the actual host is lying to me ?

[JonnoTheDev]

It means magic quotes is turned on.

[PFMaBiSmAd]

When you previously tested the get_magic_quotes_gpc() value in a script, was that .php file in the same folder where you are running your actual script? I'm thinking you have one or more local php.ini and one of them, in a folder with your actual script, is turning on magic_quotes_gpc. Likewise, has the script with the phpinfo() statement in it being run in the same folder where your actual php script is at?

 

P.S. you can only put php settings in a .htaccess file when php is running as an Apache Module. It's a server error otherwise, because the php_flag command is not recognized.

[barney0o0]

ok, thanks both of you for your help.....with reference to the magic quotes, i even contacted the host (twice) and they confirmed that everything was off.....ffs