[PHP] backslashes, string replacement, mysql_real_escape_strings and languages
Ok, let's get this straightened out, please. I'm coming up with little annoyances like text with eacute; the like being displayed and not displayed, having to enter it to get it displayed, and sometimes seeing the code rather than the accented character. And then there is preg_replace! When I have to use foreign characters and I often do in several languages, preg removes the and the spaces that I don't want in a string but it also replaces the foreign language accent formatting(e.g. icirc; with icirc). Now that is annoying. I then have to replace the spacespace with space/space and omit the preg_replace. That's a workaround... but that prevents filtering out lost spaces. And how does all that relate to latin1 and utf8_general? I'm setting up my databases with utf8_general... so, now what? Should I be reverting to latin1(or is it 15) I don't recall... Is there a way to fix this cross language problem? Ooooh, boy. :'( -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] backslashes
On Fri, 27 Aug 2004 18:29:50 -0400, Ryan Schefke [EMAIL PROTECTED]
wrote:
Thomas,
I'm not sure what your point is. Please expand.
Ryan
Do you really see nothing wrong with announcing to all users that they
can
run arbitrary SQL with your script?
well, the where clause in mysql is relativly safe, but suppose the user
changes giftprint.php?passid=1sort=WHERE thankyou='Not Sent' ORDER BY
cash ASC to, say.. giftprint.php?passid=1sort=OR 1, as the absolute most
basic example. PHP no longer supports
sending multiple queries with one mysql_query to make this not as bad,
but if you put SQL in the url or in a form, you are just begging to have
it changed. At the very least have sort=cash. Idealy the query should
look something like:
$sarr = array('name', 'event', 'description', 'cash', 'action',
'thankyou', );
$query = 'SELECT `name`, `event`, `description`, `cash`, `action`,
`thankyou` FROM `gifts` WHERE customerID=' . intval($_GET['passid'] . ' '
. $sarr[intval($_GET['sort'])];
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] backslashes
Hi, I have a jump box that sends the following value to the page. option value=?PHP echo 'giftprint.php?passid='.$passid.'sort=WHERE thankyou=\'Not Sent\' ORDER BY cash ASC';?Show Thank You Notes quot;Not Sentquot;/option Then, the below query is run: $query = SELECT name, event, description, cash, action, thankyou FROM gifts WHERE customerID='$passid' $sort; My problem is with the \'Not Sent\'. I need the backslashes for the php statement but the sql query can't handle it and the jump box gives me an error. Any help?
Re: [PHP] backslashes
On Friday 27 August 2004 15:31, Ryan Schefke wrote: First of all: Using unsanitised data from forms and links is a VERY bad thing. option value=?PHP echo 'giftprint.php?passid='.$passid.'sort=WHERE thankyou=\'Not Sent\' ORDER BY cash ASC';?Show Thank You Notes quot;Not Sentquot;/option Two problems here: 1) URLs needs to be urlencode() appropriately 2) But your major problem is you're passing too much superfluous data (technically known as crap). Breaking it down, you want to pass 4 pieces of data: 1) passid 2) thankyou status 3) sort column 4) sort direction NB depending on what you're doing (3) (4) may not be needed (eg if they're supposed to be hard-coded defaults that are not user selectable). Now assuming (3) (4) aren't needed, you would construct your URL something like this: giftprint.php?passid=$passidstatus=$status Then, the below query is run: $query = SELECT name, event, description, cash, action, thankyou FROM gifts WHERE customerID='$passid' $sort; My problem is with the \'Not Sent\'. I need the backslashes for the php statement but the sql query can't handle it and the jump box gives me an error. No, what you should do is assign various codes for the different status, eg 1 - not sent 2 - sent 3 - unknown Then when you receive the data you sanitise and verify that $passid and $status are valid. So for $status it has to be one of 1, 2, or 3. Then finally you can construct your query. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* You are a bundle of energy, always on the go. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] backslashes added to POST value
At 12:34 PM 2/11/2002 -0600, news.php.net wrote: My post values have backslashes added to them (such as to protect a double-quote). All the magic_quote_* settings are turned off in php.ini. Any ideas why this is happening? As someone else has already mentioned, this setting could be coming from either an .htaccess file or httpd.conf if you're using Apache. If you're using IIS on Win32 it's also possible to configure settings on a per-virtual server basis in the system registry. The easiest way to check for this is to use phpinfo() inside the directory that is causing you a problem and see if those magic_quote_* settings are indeed off, for both the local value and the master value. If the local value is different then you have something in some other location that is overriding your master value. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
