polemios Posted October 17, 2007 Share Posted October 17, 2007 Hi everyone, this has been a recurring thorn in my side, so I'm going to try to post and see if anyone can help or send me in the right direction. So, I'm escaping single and double quotes in PHP before entering strings into a MYSQL database. Pretty run of the mill. So in MYSQL a single quote is stored like this \' and a double like this \". Simple enough. But then as it comes back into the browser I want to remove the slashes in the string, so it looks normal again. I have two functions that clean up the strings. One is set up to output in XHMTL valid quote characters, the other is set up to use URL encoding because the output will eventually go into Flash using XML and then escaped using urlencode in actionscript. Well, they both work great locally on my machine, but they don't work at all when it's on the web. The slashes remain. Does anyone know what the difference is when viewed remotely and viewed locally? Here are the two functions, they might be a little messy, but like I said, they work great on my machine when run locally. function formatHTML ($text) { $text = ereg_replace("\r",'',$text); $text = ereg_replace("\n\n","</p>\r<p>",$text); $text = ereg_replace("\n","<br />",$text); $text = ereg_replace("\'","’", $text); $text = ereg_replace("\’","’", $text); print $text; }//end formatHTML function formatXML ($text) { $text = ereg_replace("\r",'',$text); //the following lines are formatted with urlencoding, then the xml file is parsed in flash and the text is escaped using unescape(string); $text = ereg_replace("\n\n","%0a%0a",$text); $text = ereg_replace("\n","%0a",$text); $text = ereg_replace("\'","%27", $text); $text = ereg_replace("'","%27", $text); $text = ereg_replace("\’","%27", $text); print $text; }//end formatXML any clues? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 17, 2007 Share Posted October 17, 2007 well, MySQL shouldn't be storing slashes as you described, then you wouldn't need to stripslashes() later. Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 in order to get them into Mysql, I have to escape them in my query. At least that's what I seem to have always read. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 17, 2007 Share Posted October 17, 2007 they need to be escaped if they aren't already escaped. if you have magic_quotes turned on (most likely), PHP will escape the input for you (from forms, etc.). if you end up with slashes in MySQL, then the escapes have also been escaped, leaving slashes. in other words instead of inserting: "This isn\'t a good sentence." you're inserting "This isn\\'t a good sentence." leaving this in MySQL: This isn\'t a good sentence. I would take a look at your SQL to make sure you're not inserting double-slashes Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 So, I should just try to not escape the string before inserting it? Is magic_quotes a function of a certain version of PHP? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 17, 2007 Share Posted October 17, 2007 http://us.php.net/magic_quotes it has been turned on in every PHP installation i have experienced. i would echo the SQL to make sure you don't have double-slashes. Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 Quick question then. Why does the "deslashing" or "unescaping" that I do work locally but not remotely? Quote Link to comment Share on other sites More sharing options...
chocopi Posted October 17, 2007 Share Posted October 17, 2007 probably because the magic quotes have been turned on, on your server but not locally. Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 also, the slashed are coming from mysql_real_escape_string, which I'm using to escape the user input. I'm doing that as a security measure. If I don't use mysql_real_escape_string, won't people be able to input URL commands into the query? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 17, 2007 Share Posted October 17, 2007 potentially, so if you are worried i would do one of 2 things: 1. turn off magic_quotes OR 2. stripslashes() before mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted October 17, 2007 Share Posted October 17, 2007 potentially, so if you are worried i would do one of 2 things: 1. turn off magic_quotes OR 2. stripslashes() before mysql_real_escape_string() Here's a helpful function that I use: <?php function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } ?> So, when you want to escape user data, simple do: <?php $userName = myEscape($_POST['username']); ?> As far as output is concerned, I always thought that any escaped data in a database won't look escaped when outputted. So, no slashes or anything. Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 Nighslyr, that is a crazy looking function. I'm not that deep into PHP, so the ? and the : look weird to me. Is it some sort of shorthand? What does it do exactly. Also, it looks like I don't have access to edit the php.ini on my client's hosting plan, so turning it off is out of the question. I guess I'll try Nightslyr's function. That way I can still escape it and strip the slashes in a compact package. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 17, 2007 Share Posted October 17, 2007 Nighslyr's function looks good! ? and : Essentially the function says is magic_quotes turned on? get_magic_quotes_gpc()? if so, stripslashes before using mysql_real_escape_string() if not ( just use mysql_real_escape_string() without stripslashes. very nice. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted October 17, 2007 Share Posted October 17, 2007 The ? : is a trinary operator. Explaining it requires an example. My function is: <?php function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } ?> That's the same as typing: <?php function myEscape($string){ if(get_magic_quotes_gpc()){ return mysql_real_escape_string(stripslashes($string)); } else{ return mysql_real_escape_string($string); } } ?> So, instead of: if(conditional statement){ //do something } else{ //do something else } It can be shortened to: conditional statement ? //do something : //do something else Quote Link to comment Share on other sites More sharing options...
polemios Posted October 17, 2007 Author Share Posted October 17, 2007 Thanks for the explanation guys. I love more efficient code. I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted October 17, 2007 Share Posted October 17, 2007 Thanks for the explanation guys. I love more efficient code. I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing? Hmm...I don't think magic quotes would affect that. Try commenting out your ereg_replace("\'", ....) lines and see what happens. Quote Link to comment Share on other sites More sharing options...
polemios Posted October 18, 2007 Author Share Posted October 18, 2007 thanks. Once I removed the slashes going into the mysql file, i didn't need to remove them upon output, so like you said, I commented out that code in my format functions. Thanks to you guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.