Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Escaping Strings Question

    Hey guys,
    I have created a basic little news application for a website I run. I understand that I need to properly escape the string before inserting it into the database by using functions such as mysql_real_escape_string().

    Now when I output the data from my database that has any quotes in it, it's going to end up having slashes and all in front of them.

    Do I need to just do a simple stripslashes() on all of the data I am getting from the database each time or something? Is this the proper way of doing it?

    ------------------

    Example:
    Input for news title is: This is Kyle's News Post

    This gets stored in db as: This is Kyle\'s News Post



    If I echo out this table row, I end up displaying on my website: This is Kyle\'s News Post

    I want to display: This is Kyle's News Post




    I guess what I am asking is, what is the proper way of escaping the data for inserting strings into a database, and then what is the proper way of displaying this data back from the database onto my website so I don't end up with problems as described in the example above.


    Thanks a lot guys,
    Kyle
    Last edited by xxkylexx; 07-17-2008 at 07:12 AM.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,131
    Thanks
    2
    Thanked 328 Times in 320 Posts
    Slashes in data retrieved from a database are the result of the magic_quotes_runtime setting. The slashes are not actually in the database.

    Because the magic_quotes_runtime setting has been removed in upcoming php6, it is better to turn the setting off rather than to write code to deal with the slashes that the setting adds.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Hi mate,
    The escape sequence on database fetched values is from the magic_quotes_runtime. The escape string function preps the data to insert into the database, but does not actually contain those characters - its an indication that the database should keep within the bounds of the already quoted string from the actual query.

    I would recommend disabling the runtime with set_magic_quotes_runtime(0). This is defaulted to off in php, but will also be removed in PHP 6. Save yourself a headache and just disable it at all times.

    Edit:
    Bah, beaten by CFMaBiSmAd! Thats twice today :P
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #4
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hey guys,
    magic_quotes_runtime is already turned off on my server. This can be seen by viewing my PHP info file.

    I also verified this by running the following, which returned 0.
    Code:
    echo get_magic_quotes_runtime();




    The way I am currently storing and retrieving the data is by the following:

    variable that gets inserted into the database:
    Code:
    $title = mysql_real_escape_string($_POST['title']);
    when printing out the data to my website from the database:
    Code:
    echo $row['title'];
    This is resulting the the problem described in the example in my original post. I looked in my database, and the fields do indeed have the escaping slashes stored.
    Last edited by xxkylexx; 07-17-2008 at 08:00 AM.

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,131
    Thanks
    2
    Thanked 328 Times in 320 Posts
    That means that the $_POST data is being escaped by the magic_quotes_gpc setting. Your call to mysql_real_escape_string() is double-escaping the data.

    The magic_quotes_gpc setting has also been removed in php6. It is best to turn it off than to write code to remove the slashes that it adds to external data.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Thats right, I'm so looking forward to this upgrade
    I've posted some code in the snippets section as well under GPC Stripping Tutorial. That takes care of stripping the slashes from magic_quotes_gpc off of you're globals so you can use mysql_real_escape_string on them. Just throw it in a global file and include it in - you'll be good to go
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #7
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts
    This is annoying. I can't seem to get it turned off properly or something. I turned it all off in my server's php.ini file altogether. You can see this in my PHP Info file. However, I am still continuing to have the same issue.

    magic_quotes_gpc Off Off
    magic_quotes_runtime Off Off
    magic_quotes_sybase Off Off
    If I escape my variables in the following manner, I don't end up with the issue:
    Code:
    $content = mysql_real_escape_string(stripslashes($_POST['content']));

    Also, can you explain to me how mysql_real_escape_string actually works, and is safe, if it is not escaping the string with slashes? My understanding was it worked just like I assume magic_quotes would on a string.

    Thanks again guys.
    Last edited by xxkylexx; 07-17-2008 at 05:19 PM.

  • #8
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,131
    Thanks
    2
    Thanked 328 Times in 320 Posts
    Sometimes, incorrect syntax in the setting will cause the value to display one thing in phpinfo() but cause a different value to be used by php. Show the actual lines where you have set the values.

    Are you doing all this work in a single folder? Do you have any .htaccess files that could be modifying the magic_quotes values?

    The mysql_real_escape_string() function escapes all the special characters that can break a query. The magic_quote settings and addslashes only escape a small set of special characters, leaving open the possibility that a hacker can insert characters into a query that will cause it to fail and trigger error messages (depending on your server settings and what your code is doing) that could expose information about your server that he should not be able to get.
    Last edited by CFMaBiSmAd; 07-17-2008 at 05:34 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #9
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Here's my php.ini file:

    ; This directive is deprecated. Use variables_order instead.
    gpc_order = "GPC"

    ; Magic quotes
    ;

    ; Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = Off

    ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
    magic_quotes_runtime = Off

    ; Use Sybase-style magic quotes (escape ' with '' instead of \').
    magic_quotes_sybase = Off
    I have PHP running in CGI mode, so flags cannot be set in my .htaccess files to overwrite anything from php.ini.

    So how does mysql_real_escape_string() escape these characters without inserting a slash, like the others?

    Thanks!

  • #10
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,131
    Thanks
    2
    Thanked 328 Times in 320 Posts
    It does insert a slash (Edit: into the string, not the database.) Echo something after mysql_real_escape_string() has been applied to it.
    Last edited by CFMaBiSmAd; 07-17-2008 at 06:31 PM. Reason: Clearify what insert means.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    oesxyl (07-29-2008)

  • #11
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Bah. Now I am getting really confused.

    Then how am I able to do the following without getting the same results with the slashes echoed back?

    --------

    Title input: Kyle's News Post

    PHP Code:
    $title mysql_real_escape_string($_POST['title']);

    ... 
    $title inserted into database

    PHP Code:
    ...

    echo 
    $row['title']; 
    Displayed on my website from database call: Kyle\'s News Post

    I want: Kyle's News Post (but safely stored in my database)
    Last edited by xxkylexx; 07-17-2008 at 06:20 PM.

  • #12
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,864
    Thanks
    160
    Thanked 2,224 Times in 2,211 Posts
    Before displaying the string, pass your data through stripslashes()
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #13
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by abduraooft View Post
    Before displaying the string, pass your data through stripslashes()
    You shouldn't have to if the data isn't escaped twice.

    @xxkylexx Are you sure your host allows for a custom php.ini file? Are you by chance hosting the site on your own computer? If so what setup do you have?
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    abduraooft (07-18-2008)

  • #14
    New Coder
    Join Date
    Apr 2006
    Posts
    50
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    You shouldn't have to if the data isn't escaped twice.

    @xxkylexx Are you sure your host allows for a custom php.ini file? Are you by chance hosting the site on your own computer? If so what setup do you have?
    I own my server, so I am the host. The above php.ini snippet is taken from the global server php.ini file at /usr/local/lib/php.ini, which I edited.

    If I run the string through the following:

    PHP Code:
    $title mysql_real_escape_string(stripslashes($_POST['title'])); 
    or

    PHP Code:
    $title $_POST['title']; 
    or

    PHP Code:
    $title addslashes(stripslashes($_POST['title'])); 
    The data gets stored in the database as: Kyle's News Post







    But if I run the string through this:

    PHP Code:
    $title mysql_real_escape_string($_POST['title']); 
    or this:

    PHP Code:

    $title 
    $_['title'];

    if (
    get_magic_quotes_gpc()) {
    $title stripslashes($title);


    $title mysql_real_escape_string($title); 
    It gets stored into the database as: Kyle\'s News Post
    Last edited by xxkylexx; 07-17-2008 at 07:09 PM.

  • #15
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    This is strange.
    I noticed that you're php is compiled with magic-quotes and running as a cgi. I wonder if perchance its still overriding you're configuration directives, but that doesn't explain why get_magic_quotes_gpc() returns false. That last block of code with the gpc check should work for you without any trouble (of course, you meant $_POST['title']).
    The simplest test I can think of is a simple form with entry:
    PHP Code:
    <?php

    if (isset($_POST['name']))
    {
        
    printf("Entered %s<br />\n"$_POST['name']);
        if (
    get_magic_quotes_gpc())
        {
            print(
    "BTW, GPC is enabled...<br />\n");
        }
    }
    ?>
    <form method="post">
    <input type="text" name="name" />
    <input type="submit" value="submit" />
    </form>
    If you enter Kyle's in there and it show up as Kyle\'s, its definitely you're magic_quotes. If that is the case, the btw message should be displayed. If it doesn't there is something wrong.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •