Jump to content
Marcelc

[HELP] PHP Apostrophe in Text Area

Recommended Posts

Note that my code still use the old mysql query and I am aware of that. I want to migrate it to mysqli soon but it will have to wait until I learn how to do so. Meanwhile, please help me with the code that I have now. Thank you smile3.gif


 


I've looked around the internet to find how to do this and I found two methods:


 


htmlspecialchars();


and


mysql_real_escape_string();


 


I wrapped my text into one of the two function in order to pass in text with apostrophe in it to the database.


 


However I encountered a problem.


 


With mysql_real_escape_string, I got the desired effect that I want but the problem is that, the function also apply its effect onto html img tag. So <img src="test"> turns into <img src=/"test/"> and therefore images (and also links) will not appear.


 


With htmlspecialchars, again I got the desired function that I want which is to pass in apostrophe into the database. The problem with this is that when I pull the data out from the database and echo it onto my page, it doesn't render and show as a plain html code.


 


What confuse me a lot is that, it works fine inside my localhost.


 


Please help sad.gif


Thank you! grin.gif


content-insert.php

Share this post


Link to post
Share on other sites

Hi,

 

there's obviously a lot of confusion regarding escaping. Since escaping is also critical for security, you definitely need to understand this before you consider uploading your application.

 

First of all: mysql_real_escape_string() and htmlspecialchars() have absolutely nothing to do with each other and serve two entirely different purposes.

 

The function mysql_real_escape_string() prepares a PHP value in a way that it can be inserted into a MySQL string literal. Let's say you want to insert the following string into the database:

The president's daughter

Obviously, you can't just take this string and drop it right into a query, because this leads to a syntax error:

INSERT INTO
    whatever (content)
VALUES
    ('The president's daughter')    -- this is invalid syntax
;

If the PHP value comes from the user, they can even exploit this bug to break out of the string literal and manipulate the query itself (see SQL injection).

 

To prevent this, all special characters like ', " and \ must be escaped by prepending a backslash. This tells MySQL to interpret those characters as literal text rather than MySQL syntax:

INSERT INTO
    whatever (content)
VALUES
    ('The president\'s daughter')    -- this is valid syntax; the inner quote is now literal text
;

Note that SQL-escaping only works within quoted string literals. If you forget the quotes, you again have a bug which can be used for SQL injection attacks. It's also important to know that manual escaping is extremely error-prone. Programmers have screwed up again and again, and this has lead to a constant stream of security vulnerabilities in web applications. People simply forget the escaping from time to time, or they forget the quotes, or they mess up the character encoding (which can render the function useless). A much better solution is a parameterized statement which separates the data from the actual query. However, this feature is only supported by PDO and MySQLi (I strongly recommend PDO).

 

Whenever you want to insert a PHP value into a query, you must either use a parameterized statement or manually escape the value and wrap it in quotes. Inserting raw values is a bug.

 

You said you're getting literal backslashes in your database when you use mysql_real_escape_string(). This has nothing to do with the function and is caused by some other part of the program or a misconfiguration. If you got some really, really old version with a bad configuration, it could be a problem of “magic quotes”. What does this say:?

var_dump(get_magic_quotes_gpc());

The function htmlspecialchars() is an entirely different thing. I guess you should first fix the database issues.

  • Like 1

Share this post


Link to post
Share on other sites

@Jacques1

 

Thanks a lot. That really helps with the my understanding of mysql_real_escape_string and to be honest, I've came to know escaping only recently as I want to pass apostrophe to the database. There is still so many things to learn :)

 

I ended up using addslashes() onto the input data and use splitslashes() when displaying the output. I believe this too is not a safe and concrete approach but as my app is not widely distributed I think for now it does the purpose.

 

On another note, I am interested in adopting modern approach on database function, leaving mysql_query behind. I tried to look around for tutorial but the information out there overwhelmed me and I don't know where to start. Any suggestion?

 

Thank you very much :D

 

P.S. I will love to upload my app here but I have trouble uploading (bad internet connection :( ) so I will do this soon :)

Share this post


Link to post
Share on other sites

I strongly recommend that you do not upload your application yet. It doesn't matter if it's widely distributed or not. As soon as it's online, anybody can access it. In fact, attackers love small, unprotected sites, because they're an easy target.

 

SQL injections aren't just about stealing data or something, they can be used to compromise the entire server. There are tools which do this automatically.

 

No, addslashes() is indeed not secure. It's even worse than mysql_real_escape_string(), because it always uses ASCII instead of the actual character encoding of the string. If the encoding of your database connection happens to be incompatible with ASCII, the whole function is useless.

 

In addition to this, the configuration of your development server is obviously broken. It's not normal to remove backslashes from database values. This will break the data when the code runs in a proper PHP environment, because then you'll be removing actual text backslashes.

 

Last but not least, I suspect plenty of cross-site scripting vulnerabilities in your code due to the lack of HTML escaping. This can be used for direct attacks against anybody who visits your website.

 

The code definitely isn't ready yet. The very least you need to do is get the escaping right, both the SQL-escaping and the HTML-escaping. To learn about the new database interfaces, see this tutorial about PDO.

Edited by Jacques1

Share this post


Link to post
Share on other sites

Indeed the code is not ready. The app serves as a way for me to learn, study and explore different aspects of coding and this is a part of it.

 

Thank you very much for your help :)

 

I'll look up PDO, SQL-escaping and HTML-escaping and figure out how to implement those into my code. I'll look forward to update you with progress!

 

Thank you again :D

Edited by Marcelc

Share this post


Link to post
Share on other sites

You can also use mysqli instead of PDO if it's too confusing to you. PDO is more "object oriented" and if you didn't already learn that, it could be confusing. Anyway, that you use one or the other, don't forget to use "prepared statements".

 

The "quotes" and potential problematic characters will be dealt with.

Good luck with your application! :)

Share this post


Link to post
Share on other sites

Good day, I am a little lost. Trying to post, or seek how to post a question.

I developed a website successfully. Now I have used the same program with some changes in a new website and I am getting a different result.

 

The Problem is: In the one site the Input text are accepts text such as lynn's house while the new site BOMBs out on a SQL Server error.

The common factor is the coding, could it be the field in the Data Base? I have defined them the same?

 

I need some help.

info@kobusdippenaar.co.za

 

Thanks and Blessings.

Share this post


Link to post
Share on other sites

Instead of just hijacking this thread, why don't you read it? You just might find the answer you are looking for.

  • Like 1

Share this post


Link to post
Share on other sites

@Guru,

Sorry I do not see the relevance, also I did ask how to post a question, seeing I am new to the site.

My problem is accepting text in a PHP textarea or input statement, which only bombs out when you issue the insert statement.

In one website it works, and the other it does not.

 

Please I need some help here.

 

Blessings.

Share this post


Link to post
Share on other sites

... also I did ask how to post a question, seeing I am new to the site.

Use the big "Start New Topic" button at the top right of the forum page

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.