Re: [PHP] dealiong with quote's in SQL strings
Yes, there is a performance hit. And the oddity is (if set globaly in
php.ini) you have to stripslashes() everything you want to echo to the
browser. So I would recomend you to ini_set() magic_quotes_runtime on
right before this process and then turn it off.
Petre Agenbag wrote:
Thanks, it was there right infront of me...
Just as a matter of interest, are there security/performance issues with
this setting as well as the magic_quotes_gpc or other oddities that it
could cause?
On Fri, 2003-06-13 at 15:54, CPT John W. Holmes wrote:
I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
quotes in mysql inserts.
However, I think I have run into a problem that might be related, and
was wondering if there is an easy way to fix it:
I have a script that gets user input from a drop-down, on the action
page I search a mysql table for the row matching the selection made
previously. What I do then is to extract the result of that "select *
from table where data = form_selection" and then to re-insert the data
into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
row to be added with the updated data, so the "old" row stays intact and
a new row is added that contains some of the old row's data plus some
new stuff I add).
So, the new insert sql looks as per usual
insert into table (`var1`,`var2`,`var3`,`var4`,...) values
('$var1','$var2',);
where $var1, $var2 etc is either "inherited" from the extract of the
first querie's result set, or overwritten with my newly generated
values. The problem now comes in with this:
If one or more of the extracted variables containes something like
" O'Healy " or something similar that causes trouble with the quotes in
the new INSERT sql, well, you see the problem...
And I don't want to have to go and addslashes to all my extracted
variables, because there really are a whole heap of them.
So, is there another php.ini setting that I'm missing to help me with
this, or maybe a function that will addslashes to all my extracted vars?
magic_quotes_runtime in php.ini
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
Thanks, it was there right infront of me...
Just as a matter of interest, are there security/performance issues with
this setting as well as the magic_quotes_gpc or other oddities that it
could cause?
On Fri, 2003-06-13 at 15:54, CPT John W. Holmes wrote:
> > I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
> > quotes in mysql inserts.
> >
> > However, I think I have run into a problem that might be related, and
> > was wondering if there is an easy way to fix it:
> >
> > I have a script that gets user input from a drop-down, on the action
> > page I search a mysql table for the row matching the selection made
> > previously. What I do then is to extract the result of that "select *
> > from table where data = form_selection" and then to re-insert the data
> > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
> > row to be added with the updated data, so the "old" row stays intact and
> > a new row is added that contains some of the old row's data plus some
> > new stuff I add).
> >
> > So, the new insert sql looks as per usual
> >
> > insert into table (`var1`,`var2`,`var3`,`var4`,...) values
> > ('$var1','$var2',);
> >
> > where $var1, $var2 etc is either "inherited" from the extract of the
> > first querie's result set, or overwritten with my newly generated
> > values. The problem now comes in with this:
> >
> > If one or more of the extracted variables containes something like
> > " O'Healy " or something similar that causes trouble with the quotes in
> > the new INSERT sql, well, you see the problem...
> >
> > And I don't want to have to go and addslashes to all my extracted
> > variables, because there really are a whole heap of them.
> >
> > So, is there another php.ini setting that I'm missing to help me with
> > this, or maybe a function that will addslashes to all my extracted vars?
>
> magic_quotes_runtime in php.ini
>
> ---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
> I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
> quotes in mysql inserts.
>
> However, I think I have run into a problem that might be related, and
> was wondering if there is an easy way to fix it:
>
> I have a script that gets user input from a drop-down, on the action
> page I search a mysql table for the row matching the selection made
> previously. What I do then is to extract the result of that "select *
> from table where data = form_selection" and then to re-insert the data
> into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
> row to be added with the updated data, so the "old" row stays intact and
> a new row is added that contains some of the old row's data plus some
> new stuff I add).
>
> So, the new insert sql looks as per usual
>
> insert into table (`var1`,`var2`,`var3`,`var4`,...) values
> ('$var1','$var2',);
>
> where $var1, $var2 etc is either "inherited" from the extract of the
> first querie's result set, or overwritten with my newly generated
> values. The problem now comes in with this:
>
> If one or more of the extracted variables containes something like
> " O'Healy " or something similar that causes trouble with the quotes in
> the new INSERT sql, well, you see the problem...
>
> And I don't want to have to go and addslashes to all my extracted
> variables, because there really are a whole heap of them.
>
> So, is there another php.ini setting that I'm missing to help me with
> this, or maybe a function that will addslashes to all my extracted vars?
magic_quotes_runtime in php.ini
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
Hi Awlad
Yes, I know addslashes(), but that's the point, I would rather NOT want
to go and have to use addslashes() to all my extracted vars as there are
almost a hundred vars, and I douldn't want to go and have to add
addslashes($var1), addlsashes($var2), ., addslashes($var100) UNLESS
it is the unanimous feeling of the list that there is no other way (
BTW, the app worked fine on PHP 4.0.4, hence my suspicion that there
might be a php.ini setting I missed when upgrading to 4.3.1)
On Fri, 2003-06-13 at 15:46, Awlad Hussain wrote:
> addslashes
> (PHP 3, PHP 4 )
>
> addslashes -- Quote string with slashes
> Description
> string addslashes ( string str)
>
>
> Returns a string with backslashes before characters that need to be quoted
> in database queries etc. These characters are single quote ('), double quote
> ("), backslash (\) and NUL (the NULL byte).
>
> - Original Message -
> From: "Petre Agenbag" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, June 13, 2003 2:43 PM
> Subject: [PHP] dealiong with quote's in SQL strings
>
>
> > Hi List
> >
> > I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
> > quotes in mysql inserts.
> >
> > However, I think I have run into a problem that might be related, and
> > was wondering if there is an easy way to fix it:
> >
> > I have a script that gets user input from a drop-down, on the action
> > page I search a mysql table for the row matching the selection made
> > previously. What I do then is to extract the result of that "select *
> > from table where data = form_selection" and then to re-insert the data
> > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
> > row to be added with the updated data, so the "old" row stays intact and
> > a new row is added that contains some of the old row's data plus some
> > new stuff I add).
> >
> > So, the new insert sql looks as per usual
> >
> > insert into table (`var1`,`var2`,`var3`,`var4`,...) values
> > ('$var1','$var2',);
> >
> > where $var1, $var2 etc is either "inherited" from the extract of the
> > first querie's result set, or overwritten with my newly generated
> > values. The problem now comes in with this:
> >
> > If one or more of the extracted variables containes something like
> > " O'Healy " or something similar that causes trouble with the quotes in
> > the new INSERT sql, well, you see the problem...
> >
> > And I don't want to have to go and addslashes to all my extracted
> > variables, because there really are a whole heap of them.
> >
> > So, is there another php.ini setting that I'm missing to help me with
> > this, or maybe a function that will addslashes to all my extracted vars?
> >
> > I'm lazy, shoot me!
> >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
addslashes
(PHP 3, PHP 4 )
addslashes -- Quote string with slashes
Description
string addslashes ( string str)
Returns a string with backslashes before characters that need to be quoted
in database queries etc. These characters are single quote ('), double quote
("), backslash (\) and NUL (the NULL byte).
- Original Message -
From: "Petre Agenbag" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 13, 2003 2:43 PM
Subject: [PHP] dealiong with quote's in SQL strings
> Hi List
>
> I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
> quotes in mysql inserts.
>
> However, I think I have run into a problem that might be related, and
> was wondering if there is an easy way to fix it:
>
> I have a script that gets user input from a drop-down, on the action
> page I search a mysql table for the row matching the selection made
> previously. What I do then is to extract the result of that "select *
> from table where data = form_selection" and then to re-insert the data
> into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
> row to be added with the updated data, so the "old" row stays intact and
> a new row is added that contains some of the old row's data plus some
> new stuff I add).
>
> So, the new insert sql looks as per usual
>
> insert into table (`var1`,`var2`,`var3`,`var4`,...) values
> ('$var1','$var2',);
>
> where $var1, $var2 etc is either "inherited" from the extract of the
> first querie's result set, or overwritten with my newly generated
> values. The problem now comes in with this:
>
> If one or more of the extracted variables containes something like
> " O'Healy " or something similar that causes trouble with the quotes in
> the new INSERT sql, well, you see the problem...
>
> And I don't want to have to go and addslashes to all my extracted
> variables, because there really are a whole heap of them.
>
> So, is there another php.ini setting that I'm missing to help me with
> this, or maybe a function that will addslashes to all my extracted vars?
>
> I'm lazy, shoot me!
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] dealiong with quote's in SQL strings
Hi List
I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with
quotes in mysql inserts.
However, I think I have run into a problem that might be related, and
was wondering if there is an easy way to fix it:
I have a script that gets user input from a drop-down, on the action
page I search a mysql table for the row matching the selection made
previously. What I do then is to extract the result of that "select *
from table where data = form_selection" and then to re-insert the data
into the table ; note, re-insert, NOT UPDATE ( the app cals for a new
row to be added with the updated data, so the "old" row stays intact and
a new row is added that contains some of the old row's data plus some
new stuff I add).
So, the new insert sql looks as per usual
insert into table (`var1`,`var2`,`var3`,`var4`,...) values
('$var1','$var2',);
where $var1, $var2 etc is either "inherited" from the extract of the
first querie's result set, or overwritten with my newly generated
values. The problem now comes in with this:
If one or more of the extracted variables containes something like
" O'Healy " or something similar that causes trouble with the quotes in
the new INSERT sql, well, you see the problem...
And I don't want to have to go and addslashes to all my extracted
variables, because there really are a whole heap of them.
So, is there another php.ini setting that I'm missing to help me with
this, or maybe a function that will addslashes to all my extracted vars?
I'm lazy, shoot me!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
