Re: [PHP] dealiong with quote's in SQL strings
Yes, there is a performance hit. And the oddity is (if set globaly in php.ini) you have to stripslashes() everything you want to echo to the browser. So I would recomend you to ini_set() magic_quotes_runtime on right before this process and then turn it off. Petre Agenbag wrote: Thanks, it was there right infront of me... Just as a matter of interest, are there security/performance issues with this setting as well as the magic_quotes_gpc or other oddities that it could cause? On Fri, 2003-06-13 at 15:54, CPT John W. Holmes wrote: I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with quotes in mysql inserts. However, I think I have run into a problem that might be related, and was wondering if there is an easy way to fix it: I have a script that gets user input from a drop-down, on the action page I search a mysql table for the row matching the selection made previously. What I do then is to extract the result of that "select * from table where data = form_selection" and then to re-insert the data into the table ; note, re-insert, NOT UPDATE ( the app cals for a new row to be added with the updated data, so the "old" row stays intact and a new row is added that contains some of the old row's data plus some new stuff I add). So, the new insert sql looks as per usual insert into table (`var1`,`var2`,`var3`,`var4`,...) values ('$var1','$var2',); where $var1, $var2 etc is either "inherited" from the extract of the first querie's result set, or overwritten with my newly generated values. The problem now comes in with this: If one or more of the extracted variables containes something like " O'Healy " or something similar that causes trouble with the quotes in the new INSERT sql, well, you see the problem... And I don't want to have to go and addslashes to all my extracted variables, because there really are a whole heap of them. So, is there another php.ini setting that I'm missing to help me with this, or maybe a function that will addslashes to all my extracted vars? magic_quotes_runtime in php.ini ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
Thanks, it was there right infront of me... Just as a matter of interest, are there security/performance issues with this setting as well as the magic_quotes_gpc or other oddities that it could cause? On Fri, 2003-06-13 at 15:54, CPT John W. Holmes wrote: > > I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with > > quotes in mysql inserts. > > > > However, I think I have run into a problem that might be related, and > > was wondering if there is an easy way to fix it: > > > > I have a script that gets user input from a drop-down, on the action > > page I search a mysql table for the row matching the selection made > > previously. What I do then is to extract the result of that "select * > > from table where data = form_selection" and then to re-insert the data > > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new > > row to be added with the updated data, so the "old" row stays intact and > > a new row is added that contains some of the old row's data plus some > > new stuff I add). > > > > So, the new insert sql looks as per usual > > > > insert into table (`var1`,`var2`,`var3`,`var4`,...) values > > ('$var1','$var2',); > > > > where $var1, $var2 etc is either "inherited" from the extract of the > > first querie's result set, or overwritten with my newly generated > > values. The problem now comes in with this: > > > > If one or more of the extracted variables containes something like > > " O'Healy " or something similar that causes trouble with the quotes in > > the new INSERT sql, well, you see the problem... > > > > And I don't want to have to go and addslashes to all my extracted > > variables, because there really are a whole heap of them. > > > > So, is there another php.ini setting that I'm missing to help me with > > this, or maybe a function that will addslashes to all my extracted vars? > > magic_quotes_runtime in php.ini > > ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
> I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with > quotes in mysql inserts. > > However, I think I have run into a problem that might be related, and > was wondering if there is an easy way to fix it: > > I have a script that gets user input from a drop-down, on the action > page I search a mysql table for the row matching the selection made > previously. What I do then is to extract the result of that "select * > from table where data = form_selection" and then to re-insert the data > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new > row to be added with the updated data, so the "old" row stays intact and > a new row is added that contains some of the old row's data plus some > new stuff I add). > > So, the new insert sql looks as per usual > > insert into table (`var1`,`var2`,`var3`,`var4`,...) values > ('$var1','$var2',); > > where $var1, $var2 etc is either "inherited" from the extract of the > first querie's result set, or overwritten with my newly generated > values. The problem now comes in with this: > > If one or more of the extracted variables containes something like > " O'Healy " or something similar that causes trouble with the quotes in > the new INSERT sql, well, you see the problem... > > And I don't want to have to go and addslashes to all my extracted > variables, because there really are a whole heap of them. > > So, is there another php.ini setting that I'm missing to help me with > this, or maybe a function that will addslashes to all my extracted vars? magic_quotes_runtime in php.ini ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
Hi Awlad Yes, I know addslashes(), but that's the point, I would rather NOT want to go and have to use addslashes() to all my extracted vars as there are almost a hundred vars, and I douldn't want to go and have to add addslashes($var1), addlsashes($var2), ., addslashes($var100) UNLESS it is the unanimous feeling of the list that there is no other way ( BTW, the app worked fine on PHP 4.0.4, hence my suspicion that there might be a php.ini setting I missed when upgrading to 4.3.1) On Fri, 2003-06-13 at 15:46, Awlad Hussain wrote: > addslashes > (PHP 3, PHP 4 ) > > addslashes -- Quote string with slashes > Description > string addslashes ( string str) > > > Returns a string with backslashes before characters that need to be quoted > in database queries etc. These characters are single quote ('), double quote > ("), backslash (\) and NUL (the NULL byte). > > - Original Message - > From: "Petre Agenbag" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 13, 2003 2:43 PM > Subject: [PHP] dealiong with quote's in SQL strings > > > > Hi List > > > > I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with > > quotes in mysql inserts. > > > > However, I think I have run into a problem that might be related, and > > was wondering if there is an easy way to fix it: > > > > I have a script that gets user input from a drop-down, on the action > > page I search a mysql table for the row matching the selection made > > previously. What I do then is to extract the result of that "select * > > from table where data = form_selection" and then to re-insert the data > > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new > > row to be added with the updated data, so the "old" row stays intact and > > a new row is added that contains some of the old row's data plus some > > new stuff I add). > > > > So, the new insert sql looks as per usual > > > > insert into table (`var1`,`var2`,`var3`,`var4`,...) values > > ('$var1','$var2',); > > > > where $var1, $var2 etc is either "inherited" from the extract of the > > first querie's result set, or overwritten with my newly generated > > values. The problem now comes in with this: > > > > If one or more of the extracted variables containes something like > > " O'Healy " or something similar that causes trouble with the quotes in > > the new INSERT sql, well, you see the problem... > > > > And I don't want to have to go and addslashes to all my extracted > > variables, because there really are a whole heap of them. > > > > So, is there another php.ini setting that I'm missing to help me with > > this, or maybe a function that will addslashes to all my extracted vars? > > > > I'm lazy, shoot me! > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] dealiong with quote's in SQL strings
addslashes (PHP 3, PHP 4 ) addslashes -- Quote string with slashes Description string addslashes ( string str) Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte). - Original Message - From: "Petre Agenbag" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 13, 2003 2:43 PM Subject: [PHP] dealiong with quote's in SQL strings > Hi List > > I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with > quotes in mysql inserts. > > However, I think I have run into a problem that might be related, and > was wondering if there is an easy way to fix it: > > I have a script that gets user input from a drop-down, on the action > page I search a mysql table for the row matching the selection made > previously. What I do then is to extract the result of that "select * > from table where data = form_selection" and then to re-insert the data > into the table ; note, re-insert, NOT UPDATE ( the app cals for a new > row to be added with the updated data, so the "old" row stays intact and > a new row is added that contains some of the old row's data plus some > new stuff I add). > > So, the new insert sql looks as per usual > > insert into table (`var1`,`var2`,`var3`,`var4`,...) values > ('$var1','$var2',); > > where $var1, $var2 etc is either "inherited" from the extract of the > first querie's result set, or overwritten with my newly generated > values. The problem now comes in with this: > > If one or more of the extracted variables containes something like > " O'Healy " or something similar that causes trouble with the quotes in > the new INSERT sql, well, you see the problem... > > And I don't want to have to go and addslashes to all my extracted > variables, because there really are a whole heap of them. > > So, is there another php.ini setting that I'm missing to help me with > this, or maybe a function that will addslashes to all my extracted vars? > > I'm lazy, shoot me! > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] dealiong with quote's in SQL strings
Hi List I recently installed 4.3.1 and enabled the magic_quotes_gpc to deal with quotes in mysql inserts. However, I think I have run into a problem that might be related, and was wondering if there is an easy way to fix it: I have a script that gets user input from a drop-down, on the action page I search a mysql table for the row matching the selection made previously. What I do then is to extract the result of that "select * from table where data = form_selection" and then to re-insert the data into the table ; note, re-insert, NOT UPDATE ( the app cals for a new row to be added with the updated data, so the "old" row stays intact and a new row is added that contains some of the old row's data plus some new stuff I add). So, the new insert sql looks as per usual insert into table (`var1`,`var2`,`var3`,`var4`,...) values ('$var1','$var2',); where $var1, $var2 etc is either "inherited" from the extract of the first querie's result set, or overwritten with my newly generated values. The problem now comes in with this: If one or more of the extracted variables containes something like " O'Healy " or something similar that causes trouble with the quotes in the new INSERT sql, well, you see the problem... And I don't want to have to go and addslashes to all my extracted variables, because there really are a whole heap of them. So, is there another php.ini setting that I'm missing to help me with this, or maybe a function that will addslashes to all my extracted vars? I'm lazy, shoot me! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php