Re: [fw-general] quoteOutOf?
Yes, the quote method does add quotes around the string (which is why the
method is named "quote"). It also works with arrays, quoting each value in
the array and joining the quoted values with commas.
That means that in your queries, you need to omit the quotes:
$name = 'John';
echo $name; // John (no quotes)
$quotedName = $db->quote($name); // returns 'John' (with quotes)
--
Hector
On Mon, Oct 19, 2009 at 5:31 PM, brgi wrote:
>
> Have been having this same problem where quote() surrounds the data in my
> table with single quotes. Which I thought was the desired behavior until
> reading this thread. I've got magic quotes off. Not understanding how this
> function *doesn't* surround data with quotes. Am looking at the method in
> the Zend/Db/Adapter/Mysqli.php file and seeing:
>
>
> /**
> * Quote a raw string.
> *
> * @param mixed $value Raw string
> *
> * @return string Quoted string
> */
>protected function _quote($value)
>{
>if (is_int($value) || is_float($value)) {
>return $value;
>}
>$this->_connect();
>return "'" . $this->_connection->real_escape_string($value) . "'";
>}
>
>
> That sure looks like it applies quotes, no?
> --
> View this message in context:
> http://www.nabble.com/quoteOutOf--tp6416052p25967880.html
> Sent from the Zend Framework mailing list archive at Nabble.com.
>
>
Re: [fw-general] quoteOutOf?
Have been having this same problem where quote() surrounds the data in my
table with single quotes. Which I thought was the desired behavior until
reading this thread. I've got magic quotes off. Not understanding how this
function *doesn't* surround data with quotes. Am looking at the method in
the Zend/Db/Adapter/Mysqli.php file and seeing:
/**
* Quote a raw string.
*
* @param mixed $value Raw string
*
* @return string Quoted string
*/
protected function _quote($value)
{
if (is_int($value) || is_float($value)) {
return $value;
}
$this->_connect();
return "'" . $this->_connection->real_escape_string($value) . "'";
}
That sure looks like it applies quotes, no?
--
View this message in context:
http://www.nabble.com/quoteOutOf--tp6416052p25967880.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] quoteOutOf?
Thanks, Set magic_quotes_gpc Off helped me out. Matthew Weier O'Phinney-3 wrote: > > -- Mauricio Cuenca wrote > (on Thursday, 27 March 2008, 05:20 AM -0700): >> This post just gets me more confused, because I'm using $db->quote() in >> almost all my inserts, but when I get the data back, all my carriage >> returns >> are converted to \n\r > > The above is likely something to do with your database or with the input > provided, not with Zend_Db. > >> and single quotes become \'. I also used PHP's >> stripslashes() but has no effect on carriage returns. > > My guess is that you have magic_quotes_gpc on, so data is getting into > the database with quotes escaped. Please make sure this setting is off. > > Zend_Db_Adapter::quote() itself will only escape quotes for insertion; > when you get them back from the database, they will not be quoted. What > *can* happen, however, is double escaping, which typically happens when > you have magic_quotes_gpc on *and* use a tool such as > Zend_Db_Adapter::quote(); this leads to the exact situation you've > described. > >> Is there an effective way to "unquote" results that where inserted using >> quote() ? >> >> Thanks! >> >> Mauricio >> >> >> >> Matthew Ratzloff wrote: >> > >> > Hi Jared, >> > >> >> I'm just now learning all the intricacies of preventing SQL injection >> >> attacks. I understand the value of using Zend_Db quoting for values >> that >> >> can be manipulated by users.. what I can't find, though, is a good >> >> "unescape" command. >> >> >> >> If I have an article, for example, that I want to store and then >> retrieve >> >> and display, I'll quote the article before insertign it. This will, >> >> ofcourse, escape all quotes, but it will also put a set of single >> quotes >> >> around my entire article. When I then retrieve the article and run >> >> "stripslashes()" to unescape the quotes, it leaves the surrounding >> single >> >> quotes. >> > >> > Looking at your example, I think you may be a little confused. >> Escaping >> > certain characters in preparation for use in an SQL statement simply >> > inserts the values as intended to be read by the end user into the >> > database. There's no need to unescape them following a SELECT >> statement >> > because no escape characters are stored in the database record. >> > >> > For anyone else that's curious--without escaping, someone might enter >> the >> > following: >> > >> > Username: admin >> > Password: ' OR '1' = '1 >> > >> > If it's not properly filtered, it could break out of the "AND Password >> = >> > '(password)'" portion of the WHERE clause and return admin without >> > properly authenticating them. >> > >> > Hope that helps, >> > >> > -Matt >> > >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/quoteOutOf--tp6416052p16324521.html >> Sent from the Zend Framework mailing list archive at Nabble.com. >> > > -- > Matthew Weier O'Phinney > PHP Developer| matt...@zend.com > Zend - The PHP Company | http://www.zend.com/ > > -- View this message in context: http://www.nabble.com/quoteOutOf--tp6416052p21051870.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] quoteOutOf?
-- Mauricio Cuenca <[EMAIL PROTECTED]> wrote (on Thursday, 27 March 2008, 05:20 AM -0700): > This post just gets me more confused, because I'm using $db->quote() in > almost all my inserts, but when I get the data back, all my carriage returns > are converted to \n\r The above is likely something to do with your database or with the input provided, not with Zend_Db. > and single quotes become \'. I also used PHP's > stripslashes() but has no effect on carriage returns. My guess is that you have magic_quotes_gpc on, so data is getting into the database with quotes escaped. Please make sure this setting is off. Zend_Db_Adapter::quote() itself will only escape quotes for insertion; when you get them back from the database, they will not be quoted. What *can* happen, however, is double escaping, which typically happens when you have magic_quotes_gpc on *and* use a tool such as Zend_Db_Adapter::quote(); this leads to the exact situation you've described. > Is there an effective way to "unquote" results that where inserted using > quote() ? > > Thanks! > > Mauricio > > > > Matthew Ratzloff wrote: > > > > Hi Jared, > > > >> I'm just now learning all the intricacies of preventing SQL injection > >> attacks. I understand the value of using Zend_Db quoting for values that > >> can be manipulated by users.. what I can't find, though, is a good > >> "unescape" command. > >> > >> If I have an article, for example, that I want to store and then retrieve > >> and display, I'll quote the article before insertign it. This will, > >> ofcourse, escape all quotes, but it will also put a set of single quotes > >> around my entire article. When I then retrieve the article and run > >> "stripslashes()" to unescape the quotes, it leaves the surrounding single > >> quotes. > > > > Looking at your example, I think you may be a little confused. Escaping > > certain characters in preparation for use in an SQL statement simply > > inserts the values as intended to be read by the end user into the > > database. There's no need to unescape them following a SELECT statement > > because no escape characters are stored in the database record. > > > > For anyone else that's curious--without escaping, someone might enter the > > following: > > > > Username: admin > > Password: ' OR '1' = '1 > > > > If it's not properly filtered, it could break out of the "AND Password = > > '(password)'" portion of the WHERE clause and return admin without > > properly authenticating them. > > > > Hope that helps, > > > > -Matt > > > > > > > > -- > View this message in context: > http://www.nabble.com/quoteOutOf--tp6416052p16324521.html > Sent from the Zend Framework mailing list archive at Nabble.com. > -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] quoteOutOf?
Hello, This post just gets me more confused, because I'm using $db->quote() in almost all my inserts, but when I get the data back, all my carriage returns are converted to \n\r and single quotes become \'. I also used PHP's stripslashes() but has no effect on carriage returns. Is there an effective way to "unquote" results that where inserted using quote() ? Thanks! Mauricio Matthew Ratzloff wrote: > > Hi Jared, > >> I'm just now learning all the intricacies of preventing SQL injection >> attacks. I understand the value of using Zend_Db quoting for values that >> can be manipulated by users.. what I can't find, though, is a good >> "unescape" command. >> >> If I have an article, for example, that I want to store and then retrieve >> and display, I'll quote the article before insertign it. This will, >> ofcourse, escape all quotes, but it will also put a set of single quotes >> around my entire article. When I then retrieve the article and run >> "stripslashes()" to unescape the quotes, it leaves the surrounding single >> quotes. > > Looking at your example, I think you may be a little confused. Escaping > certain characters in preparation for use in an SQL statement simply > inserts the values as intended to be read by the end user into the > database. There's no need to unescape them following a SELECT statement > because no escape characters are stored in the database record. > > For anyone else that's curious--without escaping, someone might enter the > following: > > Username: admin > Password: ' OR '1' = '1 > > If it's not properly filtered, it could break out of the "AND Password = > '(password)'" portion of the WHERE clause and return admin without > properly authenticating them. > > Hope that helps, > > -Matt > > > -- View this message in context: http://www.nabble.com/quoteOutOf--tp6416052p16324521.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] quoteOutOf?
Thanks Matthew.. I was under the assumption that I needed to use $db->quote() before I used Zend_Db_Table to insert the records.. and now that I understand the process better, I see that that's just double-quoting everything.. I appreciate the quick feedback, my head is a lot clearer now. -Jared Matthew Ratzloff wrote: > > Hi Jared, > >> I'm just now learning all the intricacies of preventing SQL injection >> attacks. I understand the value of using Zend_Db quoting for values that >> can be manipulated by users.. what I can't find, though, is a good >> "unescape" command. >> >> If I have an article, for example, that I want to store and then retrieve >> and display, I'll quote the article before insertign it. This will, >> ofcourse, escape all quotes, but it will also put a set of single quotes >> around my entire article. When I then retrieve the article and run >> "stripslashes()" to unescape the quotes, it leaves the surrounding single >> quotes. > > Looking at your example, I think you may be a little confused. Escaping > certain characters in preparation for use in an SQL statement simply > inserts the values as intended to be read by the end user into the > database. There's no need to unescape them following a SELECT statement > because no escape characters are stored in the database record. > > For anyone else that's curious--without escaping, someone might enter the > following: > > Username: admin > Password: ' OR '1' = '1 > > If it's not properly filtered, it could break out of the "AND Password = > '(password)'" portion of the WHERE clause and return admin without > properly authenticating them. > > Hope that helps, > > -Matt > > > -- View this message in context: http://www.nabble.com/quoteOutOf--tf2307893.html#a6417595 Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] quoteOutOf?
Hi Jared, > I'm just now learning all the intricacies of preventing SQL injection > attacks. I understand the value of using Zend_Db quoting for values that > can be manipulated by users.. what I can't find, though, is a good > "unescape" command. > > If I have an article, for example, that I want to store and then retrieve > and display, I'll quote the article before insertign it. This will, > ofcourse, escape all quotes, but it will also put a set of single quotes > around my entire article. When I then retrieve the article and run > "stripslashes()" to unescape the quotes, it leaves the surrounding single > quotes. Looking at your example, I think you may be a little confused. Escaping certain characters in preparation for use in an SQL statement simply inserts the values as intended to be read by the end user into the database. There's no need to unescape them following a SELECT statement because no escape characters are stored in the database record. For anyone else that's curious--without escaping, someone might enter the following: Username: admin Password: ' OR '1' = '1 If it's not properly filtered, it could break out of the "AND Password = '(password)'" portion of the WHERE clause and return admin without properly authenticating them. Hope that helps, -Matt
