[SOLVED] escaping characters and bringing them back in output

[polemios]

Hi everyone, this has been a recurring thorn in my side, so I'm going to try to post and see if anyone can help or send me in the right direction.

 

So, I'm escaping single and double quotes in PHP before entering strings into a MYSQL database. Pretty run of the mill. So in MYSQL a single quote is stored like this \' and a double like this \". Simple enough.

 

But then as it comes back into the browser I want to remove the slashes in the string, so it looks normal again. I have two functions that clean up the strings. One is set up to output in XHMTL valid quote characters, the other is set up to use URL encoding because the output will eventually go into Flash using XML and then escaped using urlencode in actionscript.

 

Well, they both work great locally on my machine, but they don't work at all when it's on the web. The slashes remain. Does anyone know what the difference is when viewed remotely and viewed locally?

 

Here are the two functions, they might be a little messy, but like I said, they work great on my machine when run locally.

 

function formatHTML ($text)
{
$text = ereg_replace("\r",'',$text);
$text = ereg_replace("\n\n","</p>\r<p>",$text);
$text = ereg_replace("\n","<br />",$text);
$text = ereg_replace("\'","&#8217;", $text);
$text = ereg_replace("\&#8217;","&#8217;", $text);
print $text;
}//end formatHTML

function formatXML ($text)
{
$text = ereg_replace("\r",'',$text);
//the following lines are formatted with urlencoding, then the xml file is parsed in flash and the text is escaped using unescape(string);
$text = ereg_replace("\n\n","%0a%0a",$text);
$text = ereg_replace("\n","%0a",$text);
$text = ereg_replace("\'","%27", $text);
$text = ereg_replace("'","%27", $text);
$text = ereg_replace("\&#8217;","%27", $text);
print $text;
}//end formatXML

 

any clues?

[BlueSkyIS]

well, MySQL shouldn't be storing slashes as you described, then you wouldn't need to stripslashes() later.

[polemios]

in order to get them into Mysql, I have to escape them in my query. At least that's what I seem to have always read.

[BlueSkyIS]

they need to be escaped if they aren't already escaped. if you have magic_quotes turned on (most likely), PHP will escape the input for you (from forms, etc.). if you end up with slashes in MySQL, then the escapes have also been escaped, leaving slashes. in other words instead of inserting:

 

"This isn\'t a good sentence."

 

you're inserting

 

"This isn\\'t a good sentence."

 

leaving this in MySQL:

 

This isn\'t a good sentence.

 

I would take a look at your SQL to make sure you're not inserting double-slashes

[polemios]

So, I should just try to not escape the string before inserting it? Is magic_quotes a function of a certain version of PHP?

[BlueSkyIS]

http://us.php.net/magic_quotes

 

it has been turned on in every PHP installation i have experienced.

 

i would echo the SQL to make sure you don't have double-slashes.

[polemios]

Quick question then. Why does the "deslashing" or "unescaping" that I do work locally but not remotely?

[chocopi]

probably because the magic quotes have been turned on, on your server but not locally.

[polemios]

also, the slashed are coming from mysql_real_escape_string, which I'm using to escape the user input. I'm doing that as a security measure. If I don't use mysql_real_escape_string, won't people be able to input URL commands into the query?

[BlueSkyIS]

potentially, so if you are worried i would do one of 2 things:

 

1. turn off magic_quotes OR

2. stripslashes() before mysql_real_escape_string()

[KevinM1]

potentially, so if you are worried i would do one of 2 things:

 

1. turn off magic_quotes OR

2. stripslashes() before mysql_real_escape_string()

 

Here's a helpful function that I use:

<?php
function myEscape($string){
	return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}
?>

 

So, when you want to escape user data, simple do:

<?php
   $userName = myEscape($_POST['username']);
?>

 

As far as output is concerned, I always thought that any escaped data in a database won't look escaped when outputted.  So, no slashes or anything.

[polemios]

Nighslyr, that is a crazy looking function.  I'm not that deep into PHP, so the ? and the : look weird to me. Is it some sort of shorthand? What does it do exactly.

 

Also, it looks like I don't have access to edit the php.ini on my client's hosting plan, so turning it off is out of the question.

 

I guess I'll try Nightslyr's function. That way I can still escape it and strip the slashes in a compact package.

[BlueSkyIS]

Nighslyr's function looks good!

 

? and :

 

Essentially the function says is magic_quotes turned on?

 

get_magic_quotes_gpc()?

 

if so, stripslashes before using mysql_real_escape_string() if not

(

 

just use mysql_real_escape_string() without stripslashes. very nice.

[KevinM1]

The ? : is a trinary operator.  Explaining it requires an example.

 

My function is:

<?php
function myEscape($string){
	return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}
?>

 

That's the same as typing:

<?php
        function myEscape($string){
                if(get_magic_quotes_gpc()){
                        return mysql_real_escape_string(stripslashes($string));
                }
                else{
                        return mysql_real_escape_string($string);
                }
        }
?>

 

So, instead of:

 

if(conditional statement){

  //do something

}

else{

  //do something else

}

 

It can be shortened to:

 

conditional statement ? //do something : //do something else

[polemios]

Thanks for the explanation guys. I love more efficient code.

 

I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing?

 

 

[KevinM1]

Thanks for the explanation guys. I love more efficient code.

 

I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing?

 

Hmm...I don't think magic quotes would affect that.  Try commenting out your ereg_replace("\'", ....) lines and see what happens.

[polemios]

thanks. Once I removed the slashes going into the mysql file, i didn't need to remove them upon output, so like you said, I commented out that code in my format functions. Thanks to you guys.