Jump to content

[SOLVED] escaping characters and bringing them back in output


Recommended Posts

Hi everyone, this has been a recurring thorn in my side, so I'm going to try to post and see if anyone can help or send me in the right direction.

 

So, I'm escaping single and double quotes in PHP before entering strings into a MYSQL database. Pretty run of the mill. So in MYSQL a single quote is stored like this \' and a double like this \". Simple enough.

 

But then as it comes back into the browser I want to remove the slashes in the string, so it looks normal again. I have two functions that clean up the strings. One is set up to output in XHMTL valid quote characters, the other is set up to use URL encoding because the output will eventually go into Flash using XML and then escaped using urlencode in actionscript.

 

Well, they both work great locally on my machine, but they don't work at all when it's on the web. The slashes remain. Does anyone know what the difference is when viewed remotely and viewed locally?

 

Here are the two functions, they might be a little messy, but like I said, they work great on my machine when run locally.

 

function formatHTML ($text)
{
$text = ereg_replace("\r",'',$text);
$text = ereg_replace("\n\n","</p>\r<p>",$text);
$text = ereg_replace("\n","<br />",$text);
$text = ereg_replace("\'","&#8217;", $text);
$text = ereg_replace("\&#8217;","&#8217;", $text);
print $text;
}//end formatHTML

function formatXML ($text)
{
$text = ereg_replace("\r",'',$text);
//the following lines are formatted with urlencoding, then the xml file is parsed in flash and the text is escaped using unescape(string);
$text = ereg_replace("\n\n","%0a%0a",$text);
$text = ereg_replace("\n","%0a",$text);
$text = ereg_replace("\'","%27", $text);
$text = ereg_replace("'","%27", $text);
$text = ereg_replace("\&#8217;","%27", $text);
print $text;
}//end formatXML

 

any clues?

they need to be escaped if they aren't already escaped. if you have magic_quotes turned on (most likely), PHP will escape the input for you (from forms, etc.). if you end up with slashes in MySQL, then the escapes have also been escaped, leaving slashes. in other words instead of inserting:

 

"This isn\'t a good sentence."

 

you're inserting

 

"This isn\\'t a good sentence."

 

leaving this in MySQL:

 

This isn\'t a good sentence.

 

I would take a look at your SQL to make sure you're not inserting double-slashes

also, the slashed are coming from mysql_real_escape_string, which I'm using to escape the user input. I'm doing that as a security measure. If I don't use mysql_real_escape_string, won't people be able to input URL commands into the query?

potentially, so if you are worried i would do one of 2 things:

 

1. turn off magic_quotes OR

2. stripslashes() before mysql_real_escape_string()

 

Here's a helpful function that I use:

<?php
function myEscape($string){
	return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}
?>

 

So, when you want to escape user data, simple do:

<?php
   $userName = myEscape($_POST['username']);
?>

 

As far as output is concerned, I always thought that any escaped data in a database won't look escaped when outputted.  So, no slashes or anything.

Nighslyr, that is a crazy looking function.  I'm not that deep into PHP, so the ? and the : look weird to me. Is it some sort of shorthand? What does it do exactly.

 

Also, it looks like I don't have access to edit the php.ini on my client's hosting plan, so turning it off is out of the question.

 

I guess I'll try Nightslyr's function. That way I can still escape it and strip the slashes in a compact package.

Nighslyr's function looks good!

 

? and :

 

Essentially the function says is magic_quotes turned on?

 

get_magic_quotes_gpc()?

 

if so, stripslashes before using mysql_real_escape_string() if not

(

 

just use mysql_real_escape_string() without stripslashes. very nice.

The ? : is a trinary operator.  Explaining it requires an example.

 

My function is:

<?php
function myEscape($string){
	return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}
?>

 

That's the same as typing:

<?php
        function myEscape($string){
                if(get_magic_quotes_gpc()){
                        return mysql_real_escape_string(stripslashes($string));
                }
                else{
                        return mysql_real_escape_string($string);
                }
        }
?>

 

So, instead of:

 

if(conditional statement){

  //do something

}

else{

  //do something else

}

 

It can be shortened to:

 

conditional statement ? //do something : //do something else

Thanks for the explanation guys. I love more efficient code.

 

I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing?

 

 

Thanks for the explanation guys. I love more efficient code.

 

I used the myEscape function and it works great. There is still one issue though. I keep getting trailing apostrophe's at the end of my strings. It isn't present in my MYSQL entry, so it looks like they're appearing in my formatHTML and formatXML functions. But this also doesn't happen locally. Would this also have to do with the magic_quotes thing?

 

Hmm...I don't think magic quotes would affect that.  Try commenting out your ereg_replace("\'", ....) lines and see what happens.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.