[SOLVED] unescaping database resultset

[Modica82]

Hi All,

 

I have a PHP app, which works fine apart from one small problem.  I escape characters when going into my database to protect against injection attacks etc, but the php parser does not unescape them (i am pretty new to PHP as i have done more ASP and .Net) and they are visible.  Now i know i can use stripslashes on all the outputs that i have but i want a better solution.  I created a three teir architecture so i would rather handle this in my data access layer and create a function that will escape all the data returned from a result set (getting data from mysql_query) this way i only have to do this in one class and not the 100s of code files i have.

 

Any ideas?

 

R

[Ninjakreborn]

If you are using mysql then use the mysql_real_escape_string function.

If your using another database platform or setup then you can go ahead and use there built in features for escaping bad characters.

Either way if there is no other solution then use add slashes function. If nothing is working I don't know what to tell you.  Or if you are using one of them and it's not escaping then I have no idea.  Unless php is in safe mode and that function is disabled, which is unlikely.

[Modica82]

Hi Businessman,

 

the functions work (replaceslashes etc), thats not an issue, but what i dont want to do is have to do it in each individual file that returns content i want to do it in a central place so that i make the amendments once (i.e. in my datatier) so the data is escaped at the point of retrieval and not the point of output, i may have not have explained it well.  If i have to do it at the last level then thats what i have to do i am just trying to find a more elegant solution that doesnt involve me sitting here for hours trying to put replaceslashes everywhere 

 

R

[Barand]

If you need to remove slashes from your db data then you are processing the input incorrectly.

 

If you have "magic_quotes" ON the slashes are added for you.

 

So your post data already contains something like "O\'Reilly". (This would be stored correctly as "O'Reilly")

 

If you now addslashes, you now have "O\\\'Reilly" which gets written to the db as "O\'Reilly".

 

 

So, before adding slashes with either addslashes or mysql_real_escape_string, check they haven't been added already by magic quotes.

[Modica82]

Hi Barand,

 

Good spot, it was magic quotes, which was turned off on my local dev machine but not on the main server which is why i never noticed it before.  Will get the serv admins to sort it out.

 

Thanks again!

 

R

[Ninjakreborn]

I hate magic quotes.  They are a very annoying feature.  There is something yuo can do about that to work around it.

Below is an example of how to do the method universally so it can tell whether they are enabled or not.

 

<?php
if (!get_magic_quotes_gpc()) {
   // escape your variables.
}
?>
What this will do is check to see if magic quotes are disabled.  If magic quotes are not turned on then it will escape, if magic quotes is turned on then it will pass right over your if control construct like it isn't there. Then you are guaranteed to have escaped values whether magic quotes is on or not, without falling victim to what barand mentioned above.

[Barand]

I use something like this

 

<?php
        function clean($data)
        {
            $res = get_magic_quotes_gpc() ? stripslashes($data) : $data;   
            $res = mysql_real_escape_string($res);
            return $res;
        }

$var = clean ($_POST['var']);
?>