[PHP] quotes
Dear All, I'm facing a problem and can't figure out the solution and would love anyones help. the situation is this: i have a form for users to fill, i take their entry and enter it in the database, then i take it and display it in a form so they can edit it. the problem is this: if uses enter double quotes my html gets mixed up and considers the users quote to be the end of the output value for the input field. Example: myvalue is a variable which is read from the DB and contains a double quote now if myvalue = this is a double quote " like this. the output html will look like this: and the output like this: this is a double quote and that's it..cause it took the double quote as the end of the value field. now what do i do? how can i prevent that from happing? Thanks, = Heidi Belal www.code-corner.com ICQ# 32127109 A bus stops at a bus station. A train stops at a train station. On my desk I have a work station... __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Quotes
I recently came across this problem and I am sure that there is a quick fix for it. I need a solution to the quotes problem when sending queries. I use single quotes to construct my SQL queries. This worked fine since the data entered into the DB was all in spanish. However, yesterday I was typing in an English name that had a single quote (say, like O'reilly) and the SQL querie was all wrong. What is the solution to this? Thanks in advance. -- Ivan R. Quintero E.* (507)228-3477 Aptdo 1263 * (507)228-9105 Balboa, Ancon * 640-0370 Republic of Panama * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] quotes
Hey, I have a problem using apostrophes/single quotes. I am using PHP and MySQL. The user enters data into the text field and everything goes ok, until an apostrophy/single quote is added in the middle of the text - then disaster occurs! Now i want to allow the user the ability of adding apostrophies/single quotes. As far as i understand the reason is because MySQL accepts the text until the apostropy/single quote. So my guess would be if that i should manipulate the text before inserting into the database, such that it doesn' include apostrophies/single quotes. But is there something else i could place instead of the apostrophy/single quote that would, when displayed, show as an apostropy/single quote. Any ideas? Help would be great! Heidi = Heidi Belal ICQ# 32127109 A bus stops at a bus station. A train stops at a train station. On my desk I have a work station... __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] quotes
On Friday, April 12, 2002, at 06:06 PM, Heidi Belal wrote: > if uses enter double quotes my html gets mixed up and > considers the users quote to be the end of the output > value for the input field. ... > now what do i do? how can i prevent that from > happing? As a rule of thumb, you should never ever cross-post to so many newsgroups or mailing lists! Just asking here on the PHP list alone will get you the answer to this question. That said, the PHP developers have created a function that can escape the quotes for you -- it is called "addslashes()". Read the man pages for addslashes() and stripslashes() at www.php.net for information on their usage. You may also be able to set the gpc_magic_quotes setting in your php.ini on your server, but using addslashes() and stripslashes() allows you to fine-tune your control. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] quotes
> From: "Heidi Belal" <[EMAIL PROTECTED]> On Fri, Apr 12, 2002 at 03:15:13PM -0700, hugh danaher wrote: > > > like this."> > addslashes() > stripslashes() Nay. She's asking about HTML. Slashes aren't going to solve that. All output from databases, or wherever, needs to go through htmlspecialchars(). That'll change " to " so your HTML stay healthy. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] quotes
Heidi, to your input: addslashes() to your output: stripslashes() Hope this helps, Hugh - Original Message - From: "Heidi Belal" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]>; "Egypt Developers" <[EMAIL PROTECTED]>; "Egypt Programmers" <[EMAIL PROTECTED]>; "js-jive mailing list" <[EMAIL PROTECTED]>; "Php" <[EMAIL PROTECTED]> Sent: Friday, April 12, 2002 3:06 PM Subject: [PHP] quotes > Dear All, > I'm facing a problem and can't figure out the solution > and would love anyones help. > the situation is this: > i have a form for users to fill, i take their entry > and enter it in the database, then i take it and > display it in a form so they can edit it. > the problem is this: > if uses enter double quotes my html gets mixed up and > considers the users quote to be the end of the output > value for the input field. > Example: > > > > > myvalue is a variable which is read from the DB and > contains a double quote now if > myvalue = this is a double quote " like this. > > the output html will look like this: > like this."> > > and the output like this: > this is a double quote > > and that's it..cause it took the double quote as the > end of the value field. > > now what do i do? how can i prevent that from > happing? > Thanks, > > > > = > Heidi Belal > www.code-corner.com > ICQ# 32127109 > > A bus stops at a bus station. > A train stops at a train station. On my desk > I have a work station... > > __ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] quotes
Thanks! This is what i was looking for. and i'm actually using jsps and java servlets, but i knew i'd find the solution some where...now i've discovered what needs to be done to solve the problem..and i've found a funtion that will convert the html special characters! Thanks again! Heidi --- Analysis & Solutions <[EMAIL PROTECTED]> wrote: > > From: "Heidi Belal" <[EMAIL PROTECTED]> > On Fri, Apr 12, 2002 at 03:15:13PM -0700, hugh > danaher wrote: > > > > > > like this."> > > > addslashes() > > stripslashes() > > Nay. She's asking about HTML. Slashes aren't going > to solve that. All > output from databases, or wherever, needs to go > through > htmlspecialchars(). That'll change " to " so > your HTML stay > healthy. > > --Dan > > -- >PHP classes that make web design > easier > SQL Solution | Layout Solution | Form > Solution > sqlsolution.info | layoutsolution.info | > formsolution.info > T H E A N A L Y S I S A N D S O L U T I O N S > C O M P A N Y > 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 > f: 718-854-0409 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > = Heidi Belal www.code-corner.com ICQ# 32127109 A bus stops at a bus station. A train stops at a train station. On my desk I have a work station... __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Quotes
addslashes() James -- James Moore PHP Quality Assurance Team [EMAIL PROTECTED] > -Original Message- > From: rodrigo [mailto:[EMAIL PROTECTED]] > Sent: 14 January 2001 21:41 > To: php php > Subject: [PHP] Quotes > > > I recently came across this problem and I am sure that there is a quick > fix for it. I need a solution to the quotes problem when sending > queries. I use single quotes to construct my SQL queries. This worked > fine since the data entered into the DB was all in spanish. > > However, yesterday I was typing in an English name that had a single > quote (say, like O'reilly) and the SQL querie was all wrong. > > What is the solution to this? Thanks in advance. > -- > > Ivan R. Quintero E.* (507)228-3477 > Aptdo 1263 * (507)228-9105 > Balboa, Ancon* 640-0370 > Republic of Panama * > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes
Look into functions stripslashes() and addslashes() as well as the setting magic_quotes_gpc : http://www.php.net/manual/en/function.addslashes.php http://www.php.net/manual/en/configuration.php#ini.magic-quotes-gpc But quite simple, addslashes($foo); will addslashes before the quotes within $foo which will put it into the database nicely. If you have magic_quotes_gpc on then this should be automatic (see manual for when). Philip On Sun, 14 Jan 2001, rodrigo wrote: > I recently came across this problem and I am sure that there is a quick > fix for it. I need a solution to the quotes problem when sending > queries. I use single quotes to construct my SQL queries. This worked > fine since the data entered into the DB was all in spanish. > > However, yesterday I was typing in an English name that had a single > quote (say, like O'reilly) and the SQL querie was all wrong. > > What is the solution to this? Thanks in advance. > -- > > Ivan R. Quintero E.* (507)228-3477 > Aptdo 1263 * (507)228-9105 > Balboa, Ancon* 640-0370 > Republic of Panama * > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes
On 14 Jan 2001 10:38:12 -0800, rodrigo <[EMAIL PROTECTED]> wrote:
>However, yesterday I was typing in an English name that had a single
>quote (say, like O'reilly) and the SQL querie was all wrong.
You need to escape the special characters (' becomes '' or \' depending on
database flavor). PHP's built-in addslashes() function does this nicely. If
your database complains about something addslashes() doesn't catch, there may
also be a db-specific function like mysql_escape_string() which ensures that
the string is safe to use in a query.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] quotes
Heidi Belal wrote: > I have a problem using apostrophes/single quotes. > I am using PHP and MySQL. The user enters data into > the text field and everything goes ok, until an > apostrophy/single quote is added in the middle of the > text - then disaster occurs! Use addslashes() on the text before inserting it into the database. http://php.net/addslashes regards Wagner -- Madness takes its toll. Please have exact change. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] quotes
also: mysql_escape_string() will format data properly for use in MySQL queries > -Original Message- > From: Alexander Wagner [mailto:[EMAIL PROTECTED]] > Subject: Re: [PHP] quotes > > > Heidi Belal wrote: > > I have a problem using apostrophes/single quotes. > > I am using PHP and MySQL. The user enters data into > > the text field and everything goes ok, until an > > apostrophy/single quote is added in the middle of the > > text - then disaster occurs! > > Use addslashes() on the text before inserting it into the database. > > http://php.net/addslashes > > regards > Wagner > > -- > Madness takes its toll. Please have exact change. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Quotes and Values
Hello, I am trying to do this: $myVal = " *trying to accomplish putting " qotes around my string values* Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes and Values
> $myVal = " > *trying to accomplish putting " qotes around my string values* Try $myVal = ""; or $myVal = ''; - Darryl -- Darryl Friesen, B.Sc., Programmer/Analyst[EMAIL PROTECTED] Education & Research Technology Services, http://gollum.usask.ca/ Department of Computing Services, University of Saskatchewan -- "Go not to the Elves for counsel, for they will say both no and yes" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes and Values
Then you need to escape your double quotes: $myVal = ""; or use the single quote equivilant: $myVal = ''; or (PHP4 only) $myVal = << EOT; Jeremy Jeremy Brand :: Sr. Software Engineer :: 408-245-9058 :: [EMAIL PROTECTED] http://www.JeremyBrand.com/Jeremy/Brand/Jeremy_Brand.html for more - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "LINUX is obsolete" -- Andy Tanenbaum, January 29th, 1992 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://www.JEEP-FOR-SALE.com/ -- I need a buyer Get your own Free, Private email at http://www.smackdown.com/ On Thu, 18 Jan 2001, Karl J. Stubsjoen wrote: > Date: Thu, 18 Jan 2001 15:44:06 -0700 > From: Karl J. Stubsjoen <[EMAIL PROTECTED]> > To: PHP Mailing List <[EMAIL PROTECTED]> > Subject: [PHP] Quotes and Values > > Hello, > > I am trying to do this: > > $myVal = " > *trying to accomplish putting " qotes around my string values* > > Thanks! > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes and Values
Hello Karl, This tutorial will be of use : Using Strings: -- http://www.zend.com/zend/tut/using-strings.php In short, three ways come to mind : $a = ""; $a = ''; $a = ""; Which will make more sense after reading (and printing out) the above tutorial. As well as : PHP Manual : Strings : -- http://www.php.net/manual/en/language.types.string.php Regards, Philip On Thu, 18 Jan 2001, Karl J. Stubsjoen wrote: > Hello, > > I am trying to do this: > > $myVal = " > *trying to accomplish putting " qotes around my string values* > > Thanks! > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes and Values
alot of people inside on escaping your double quotes, I dont, I use single quotes, its nicer to read. echo "\n"; echo "\n"; I find the prior easier to read. they both work 100% no quibles. Chris Lee Mediawaveonline.com ""Karl J. Stubsjoen"" <[EMAIL PROTECTED]> wrote in message 017b01c081a0$2ad77e50$0afc020a@kstubsjoen">news:017b01c081a0$2ad77e50$0afc020a@kstubsjoen... > Hello, > > I am trying to do this: > > $myVal = " > *trying to accomplish putting " qotes around my string values* > > Thanks! > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes and Values
True, but iirc it's not xml compliant, and might not be a good habit, and it then leaves you without the option to use it in JS calls, like: echo "" Gfunk - http://www.gfunk007.com/ I sense much beer in you. Beer leads to intoxication, intoxication to hangovers, and hangovers to... suffering. - Original Message - From: "Chris Lee" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 19, 2001 9:51 AM Subject: Re: [PHP] Quotes and Values > alot of people inside on escaping your double quotes, I dont, I use single > quotes, its nicer to read. > > echo "\n"; > > echo "\n"; > > I find the prior easier to read. they both work 100% no quibles. > > Chris Lee > Mediawaveonline.com > > > > ""Karl J. Stubsjoen"" <[EMAIL PROTECTED]> wrote in message > 017b01c081a0$2ad77e50$0afc020a@kstubsjoen">news:017b01c081a0$2ad77e50$0afc020a@kstubsjoen... > > Hello, > > > > I am trying to do this: > > > > $myVal = " > > *trying to accomplish putting " qotes around my string values* > > > > Thanks! > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Quotes in inputfields & Reload
Hy everybody, Well here is the deal (Probably an easy one 8)) I have several inputfields and check if the are valid or have content. If an error occurs and the page reloads i simply echo the content of the fields back into the input fields, viola, wonderful. BUT if there are " eg. Quotes in those fields they suddenly read \" instead of " as they should 8( I guess that the parser is doing something to it there since " is a sensitive char in php. BUT how can i get the content to be reloaded correctly into the fields again. Here an example of how those fields look like tried it like this too, no difference: " size=40> thx in advance, Jens Nedal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Quotes in GET variables
If I submit a string to a script via GET which contains quotes, how should they appear in my script? Eg: --- test.php --- echo $HTTP_GET_VARS['test']; Go to: test.php?test=this+doesn%27t+work .. and you get: this doesn\'t work (Char 27 is a single quote. Echoing $test gives the same result.) I can use stripslashes lose the escape char, but should this be necessary? I'm using v4.0.4pl1 -- Mark Rogers Lose the -news in the email address if replying direct -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Quotes in inputfields & Reload
hi Jens, PHP automatically escape the dangerous characters from the user input on form submissions. there are several ways to escape that back : stripslashes() urlencode() htmlentities() read about these, they will soon become your solutions. Sincerely, Maxim Maletsky Founder, Chief Developer PHPBeginner.com (Where PHP Begins) [EMAIL PROTECTED] www.phpbeginner.com -Original Message- From: Jens Nedal [mailto:[EMAIL PROTECTED]] Sent: Monday, March 12, 2001 7:24 PM To: [EMAIL PROTECTED] Subject: [PHP] Quotes in inputfields & Reload Hy everybody, Well here is the deal (Probably an easy one 8)) I have several inputfields and check if the are valid or have content. If an error occurs and the page reloads i simply echo the content of the fields back into the input fields, viola, wonderful. BUT if there are " eg. Quotes in those fields they suddenly read \" instead of " as they should 8( I guess that the parser is doing something to it there since " is a sensitive char in php. BUT how can i get the content to be reloaded correctly into the fields again. Here an example of how those fields look like tried it like this too, no difference: " size=40> thx in advance, Jens Nedal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in inputfields & Reload
Ah yeah, thx everybody That does it and i am a littel pissed since i can go over alllooott of code now to insert that. BATCH here i come! Jens on 12.03.2001 17:49 Uhr, PHPBeginner.com at [EMAIL PROTECTED] wrote: > hi Jens, > > PHP automatically escape the dangerous characters from the user input on > form submissions. > > there are several ways to escape that back : > > stripslashes() > urlencode() > htmlentities() > > read about these, they will soon become your solutions. > > > > Sincerely, > > Maxim Maletsky > Founder, Chief Developer > > PHPBeginner.com (Where PHP Begins) > [EMAIL PROTECTED] > www.phpbeginner.com > > > > > -Original Message- > From: Jens Nedal [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 12, 2001 7:24 PM > To: [EMAIL PROTECTED] > Subject: [PHP] Quotes in inputfields & Reload > > > Hy everybody, > > Well here is the deal (Probably an easy one 8)) > I have several inputfields and check if the are valid or have content. > If an error occurs and the page reloads i simply echo the content of the > fields back into the input fields, viola, wonderful. > > BUT if there are " eg. Quotes in those fields they suddenly read \" instead > of " as they should 8( > > I guess that the parser is doing something to it there since " is a > sensitive char in php. BUT how can i get the content to be reloaded > correctly into the fields again. > > Here an example of how those fields look like > > > > tried it like this too, no difference: > " size=40> > > > thx in advance, Jens Nedal > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
It's a feature of PHP that it automatically escapes data submitted in PUT/GET/etc. It's nice in that it adds to how secure PHP code is, but it can be a hassle. Not sure if there is a function which removes escape characters will leaving normal backslashes alone. If you REALLY need to turn it off I believe it's the magic_quotes_gpc option. Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eavif$dks$[EMAIL PROTECTED]">news:9eavif$dks$[EMAIL PROTECTED]... > If I submit a string to a script via GET which contains quotes, how should > they appear in my script? > > Eg: > --- test.php --- > echo $HTTP_GET_VARS['test']; > > Go to: > test.php?test=this+doesn%27t+work > > .. and you get: > this doesn\'t work > > (Char 27 is a single quote. Echoing $test gives the same result.) > > I can use stripslashes lose the escape char, but should this be necessary? > I'm using v4.0.4pl1 > > -- > Mark Rogers > Lose the -news in the email address if replying direct > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> It's a feature of PHP that it automatically escapes data submitted in > PUT/GET/etc. It didn't seem to be happening with POST which is why I thought it odd, but that probably means I didn't test properly :-) > It's nice in that it adds to how secure PHP code is, but it can be a hassle. Out of curiousity, what are the security implications? Presumably a failure to validate input properly leading to unintended actions, but I can't think of any examples to help me decide whether to turn this off. Thanks for the quick response. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
Hi Mark,
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to turn this off.
Most default to set magic_quotes_gpc on - otherwise, to safeguard against
(amongst many other things) mysql or other database errors, all fields that
aren't integers would have to have addslashes() applied to them. Try
entering a string like this:
$string = "http://www.php.net\";>PHP";
$string = stripslashes($string);
$insert = @mysql_query("INSERT INTO table (string) VALUES ('$string')")
or die (mysql_error());
And see how fast you run into errors ;)
James.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
I saw an article just a few days ago on "Hacking PHPNuke" that was an excellant example of how the escape GPS thing saved a program from a major security hole caused by a very minor oversite in less than 0.01% of the code. Can't remember the name of the site...I think it was linked from TheRegister.co.uk, but I can't recall. It had a kind of metallic greyish look with small print. Anyway, it's not a big thing if you're _really_ stringent about how you check every single variable which is used in a database query, system/passthru/exec, or eval command, and your checking methods are flawless, but otherwise it's just best to go to the trouble of hacking around the input explicitly. Unless you're setting of PHP will only effect your application and no one elses, and you don't have to worry about having the script run on a system who's config you don't control, then knock yourself out. But it's a good idea to pretend that the default settings of PHP can't be changed, since most people have those settings and you don't want your code to be "system dependent" :) Plutarck ""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message 9eb0sl$vvr$[EMAIL PROTECTED]">news:9eb0sl$vvr$[EMAIL PROTECTED]... > > It's a feature of PHP that it automatically escapes data submitted in > > PUT/GET/etc. > > It didn't seem to be happening with POST which is why I thought it odd, but > that probably means I didn't test properly :-) > > > It's nice in that it adds to how secure PHP code is, but it can be a > hassle. > > Out of curiousity, what are the security implications? Presumably a failure > to validate input properly leading to unintended actions, but I can't think > of any examples to help me decide whether to turn this off. > > Thanks for the quick response. > -- > Mark Rogers > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. What would you do to go about doing this? How can you be _really stringent_ in checking your variables? Check that they have a value? Chris
Re: [PHP] Quotes in GET variables
Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query("SELECT * FROM table WHERE username='$username' AND
password='$password'");
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters are valid entrys here?
If we know that usernames and passwords can't contain spaces, we'll strip
out whitespace. If A-Z, 0-9, and underscores are the only legal characters,
we'll strip out anything that isn't a "word character".
Using this kind of "what's legal here?" questioning is typically the best
way to handle things. It ensures that no illegal entries can be in your code
so that no errors are spit out such as "this is not a legal resource
identifier". It also ensures no 'massaged' data can cause an unauthorized
user to see something they shouldn't see.
Then it only comes down to ensuring that legal characters can't be used in
some fashion which is not intended. I tend to limit myself to using only
word characters and whitespace, which seems safe in most cases. If you need
to use some other data, always use one of the PHP escape functions.
The final method to use is to ask yourself, "what variables can be passed
via session/cookie/put/get?". All other variables should be explicitly set
to _something_ early in the code before they would normally be used, and in
a way that ensures they are being set to something no matter what flow the
program takes (in other words, don't set them inside a conditional loop).
This is the cause for the majority of security holes. Often a program
evaluates a variable which is conditionally set inside the code without
ensuring that it's "clean". For example:
if ($submit)
{
$sql = "SELECT * FROM table";
}
// bunch of code here
$result = mysql_query($sql);
If the user can massage the transaction so that $submit will evaluate to
false (such as appending "?submit=" onto the end of you're page's URL), they
are now able to query your database with absolutely any query they like.
SELECT, UPDATE, or DROP, it's their choice. To be safe you need only insert
one line before the loop:
$sql = "";
So when using a variable which shouldn't be submitted from an outside
source, be sure that it's explicitly set to something before any evaluation
of that variable is done.
And that's about all I can think of. Still, it's best just to leave the
function on as an extra bit of security. You can never be too safe.
Plutarck
""Boget, Chris"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Anyway, it's not a big thing if you're _really_ stringent about how you
> > check every single variable which is used in a database query,
> > system/passthru/exec, or eval command, and your checking methods are
> > flawless, but otherwise it's just best to go to the trouble of hacking
> > around the input explicitly.
>
> What would you do to go about doing this? How can you be
> _really stringent_ in checking your variables? Check that they
> have a value?
>
> Chris
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Quotes in GET variables
> Anyway, it's not a big thing if you're _really_ stringent about how you > check every single variable which is used in a database query, > system/passthru/exec, or eval command, and your checking methods are > flawless, but otherwise it's just best to go to the trouble of hacking > around the input explicitly. Obviously my code is perfect, so I don't need to worry - but I'll leave it set as default anyway :-) One thing I do avoid is using register_globals, which removes some of the threats suggested elsewhere in this thread. I do validate user input fairly thoroughly, but it's always better to be safe. The reason I asked the question was because I wasn't sure the behavior I was seeing was correct, and didn't want to fix loads of code that I'd have to un-fix later on. Now I know what's going on I'll go ahead with the fixes. Saves me remembering to change PHP.INI on other machines, if nothing else. Thanks for the help. -- Mark Rogers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
