Thanks for the reply, but I still can't seem to make the connection... If I enter the value 123\"/' in a web form and put the form post value directly into the db (no stripslashes or any other function), the value as reported by the db at a command line query is 123\"/' (it LOOKS like the same value that was entered), but to get it to return that value, at the command prompt, I have to enter select * from users where password = "123\\\"\/\'";. OK, that makes sense. You have to 'slash' or escape every escape or delimiter character. So, the value is apparently getting into the db properly. Now, when I enter that same value (minus the outside quotes) into the form field and then compare that with the value in the db, they don't match. I've tried add and strip slashes in various combinations, but that makes no difference. I suspect there are some HTML entities or some other odd URL encoding problem??? My app has a feature that will remind a user of their password. This returns in an email exactly what I'd expect, that is, 123\"/' I can't see how to make the round trip from the original input into the db and then back out again intact so it will 'match itself'... That behavior doesn't seem to match the magic_quotes docs.
My current project is the first real app I have done for the Air Force in PHP. Most of the PHP work I have done is for query only db interfaces, counters, REMOTE_HOST tests for dynamic links or doing form-to-email type stuff. Entering data INTO a db adds a whole new set of challenges. I'd appreciate any other advice or clarification you could offer. Thanks, -----Original Message----- From: John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 4:25 PM To: 'Rob Walls'; [EMAIL PROTECTED] Subject: RE: [PHP] Escaping Chars > I need to get a password value from a form, store it in a database and > then > later be able to compare a login password to the one stored in the db. > This works great unless the password contains the '\' char. > magic_quotes_gpc is ON and magic_quotes_runtime is OFF. > As a klude, I tried just removing slashes from the input password using > stripslashes() before storing it in the db and then testing to see if > stripslashes(val from db)=stripslashes(val from form) in the login test to > see if they match. (the user shouldn't even know that slashes are being > striped, so I have to strip them on each input). They still don't match > if > a slash is input for the original password storage, but I don't know why. Okay... you want the "slash" or escape character there when you insert it into the database. But, since it's an escape character, it doesn't actually go into the data of the database. If you put O'Kelly into your form, magic_quotes_gpc will turn it into O\'Kelly. If you insert that into the database, it'll use the \ as an escape character and the data in the database will actually be just O'Kelly. With magic_quotes_runtime OFF, that's exactly what you'll draw out of the database, too. So, if you want to compare a form submitted value to a value drawn out of the database, you have to use stripslashes() on the form data first. A better option overall is to just do it in your query. SELECT * FROM table WHERE user = '{$_POST['user']} and password = '{$_POST['password']}' Where your form is method=POST... If a row is returned, the username and password matched. If no row is returned, then one or both didn't match. ---John Holmes... PS: Just noticed the .af.mil address. Do you do any PHP programming for the AirForce or is this on your own? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
