addslashes()
James
--
James Moore
PHP Quality Assurance Team
[EMAIL PROTECTED]
> -Original Message-
> From: rodrigo [mailto:[EMAIL PROTECTED]]
> Sent: 14 January 2001 21:41
> To: php php
> Subject: [PHP] Quotes
>
>
> I recently came across this problem and I am sure that there is a
Look into functions stripslashes() and addslashes() as well as the setting
magic_quotes_gpc :
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/configuration.php#ini.magic-quotes-gpc
But quite simple, addslashes($foo); will addslashes before the quotes
within $
On 14 Jan 2001 10:38:12 -0800, rodrigo <[EMAIL PROTECTED]> wrote:
>However, yesterday I was typing in an English name that had a single
>quote (say, like O'reilly) and the SQL querie was all wrong.
You need to escape the special characters (' becomes '' or \' depending on
database flavor). PHP's
On Friday, April 12, 2002, at 06:06 PM, Heidi Belal wrote:
> if uses enter double quotes my html gets mixed up and
> considers the users quote to be the end of the output
> value for the input field.
...
> now what do i do? how can i prevent that from
> happing?
As a rule of thumb, you shou
> From: "Heidi Belal" <[EMAIL PROTECTED]>
On Fri, Apr 12, 2002 at 03:15:13PM -0700, hugh danaher wrote:
> > > like this.">
> addslashes()
> stripslashes()
Nay. She's asking about HTML. Slashes aren't going to solve that. All
output from databases, or wherever, needs to go through
htmlspec
Heidi,
to your input:
addslashes()
to your output:
stripslashes()
Hope this helps,
Hugh
- Original Message -
From: "Heidi Belal" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>; "Egypt Developers"
<[EMAIL PROTECTED]>; "Egypt Programmers"
<[EMAIL PROTECTED]>; "js-jive mailing list"
Thanks!
This is what i was looking for.
and i'm actually using jsps and java servlets, but i
knew i'd find the solution some where...now i've
discovered what needs to be done to solve the
problem..and i've found a funtion that will convert
the html special characters!
Thanks again!
Heidi
--- Anal
Heidi Belal wrote:
> I have a problem using apostrophes/single quotes.
> I am using PHP and MySQL. The user enters data into
> the text field and everything goes ok, until an
> apostrophy/single quote is added in the middle of the
> text - then disaster occurs!
Use addslashes() on the text befor
also: mysql_escape_string()
will format data properly for use in MySQL queries
> -Original Message-
> From: Alexander Wagner [mailto:[EMAIL PROTECTED]]
> Subject: Re: [PHP] quotes
>
>
> Heidi Belal wrote:
> > I have a problem using apostrophes/single quotes
On Tue, 5 Sep 2006, Gustav Wiberg wrote:
I want to save this to a string...
var uri = 'http://impse.tradedoubler.com/imp/img/16352388/1122503?' + new
String (Math.random()).substring (2, 11
Or use a heredoc?
--
http://www.web-buddha.co.uk
http://www.projectkarma.co.uk
On 9/6/06, Gustav Wiberg <[EMAIL PROTECTED]> wrote:
I want to save this to a string...
var uri = 'http://impse.tradedoubler.com/imp/img/16352388/1122503?' + new
String (Math.random()).substring (2, 11);
docume
Am 2006-09-05 23:12:43, schrieb Gustav Wiberg:
> I want to save this to a string...
>
>
Try a textarea. Example:
On Wed, 2003-06-25 at 10:20, Lso . wrote:
> Ok I have been searching to no avail. I have a form that lets you add new
> sets of information to a database. Once you add information i have a page
> that displays this information in a series of text fields. I have d
Yes!! You are the man! It works! Thank you all for the fast response.
Lucas Owens
www.lucasowens.com
www.technoiraudio.com
Try a textarea. Example:
_
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn
Does anyone know why this works this way? seems kinda odd that a textarea
will display it correctly but a normla field will not.
Try a textarea. Example:
Lucas
_
Tired of spam? Get advanced junk mail protection with MSN 8.
http://
Cause of the quotes around the value, example:
The HTML parser gets confused by the "'s around hank,
so since the textarea doesn't use quote's to delimit the
value, it works fine.
On Wed, 2003-06-25 at 10:37, Lso . wrote:
> Does anyone know why this works this way? seems kinda odd that a tex
understood. thanks for the help.
Lucas Owens
www.lucasowens.com
www.technoiraudio.com
From: Adam Voigt <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "Lso ." <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP] quotes
Date: 25 Jun 2003 10:47:56 -0400
Caus
Lso . wrote:
Ok I have been searching to no avail. I have a form that lets you
add new sets of information to a database. Once you add information i
have a page that displays this information in a series of text
fields. I have done this so you can alter the information in the
fields hit ed
What you also need is to htmlspecialchars() the vars that you echo as form
element values, else your HTML will be broken if one of the vars contains "
. This should work for both text fields and textareas
or
-Original Message-
From: Lso . [mailto:[EMAIL PROTECTED]
Sent: Wednesday,
MAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 7:47 AM
Subject: Re: [PHP] quotes
> Cause of the quotes around the value, example:
>
>
>
> The HTML parser gets confused by the "'s around hank,
> so since the textarea doesn't use quote's to delimit the
> va
quote.
>
> ie input type=\"text\"
>
> - Original Message -
> From: "Adam Voigt" <[EMAIL PROTECTED]>
> To: "Lso ." <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 25, 2003 7:47 AM
> Subject: Re:
<[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 9:04 AM
Subject: Re: [PHP] quotes
> Umm, in his first email, he specifically said all the quotes
> were already escaped with slashes and it didn't help.
>
>
>
> On Wed, 2003-06-25 at 11:50, Chris Sherwood wrote:
>
Thanks everyone. Honestly I tried so many things that Im not sure exactly
what combinations I tried. The textfield trick works, and I so sick of
looking at this script Im moving on. Ill try something else the next time
around. Thanks again for all of the excellent fast help!!
Lucas Owens
ww
Lso . wrote:
Thanks everyone. Honestly I tried so many things that Im not sure
exactly what combinations I tried. The textfield trick works, and I
so sick of looking at this script Im moving on. Ill try something
else the next time around. Thanks again for all of the excellent fast
help!!
it doesnt work, i just tried it. the text is still cut off after the quote
Just try htmlentities()! A textarea is for multiple lines of text!
_
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?pag
I had the same problem. I had my ISP turn magic quotes on in the php.ini
file on their server.
As soon as they did that, everything worked just fine.
-Steve Marquez
Marquez Design
[EMAIL PROTECTED]
www.marquez-design.com
> it doesnt work, i just tried it. the text is still cut off after the
gt" <[EMAIL PROTECTED]>
> To: "Chris Sherwood" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 25, 2003 9:04 AM
> Subject: Re: [PHP] quotes
>
> > Umm, in his first email, he specifically said all the quotes
> > were already es
On Thursday 26 June 2003 00:52, Lso . wrote:
> it doesnt work, i just tried it. the text is still cut off after the quote
>
> >Just try htmlentities()! A textarea is for multiple lines of text!
Show some code please.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software
. there
is too much stuff running on this serever to take that risk.
Lucas Owens
www.lucasowens.com
www.technoiraudio.com
From: Jason Wong <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [PHP] quotes
Date: Thu, 26 Jun 2003 00:58:40 +0800
On Thursday 26 Jun
here ya go:
function dbconnect(){
$dbh=mysql_connect ("**", "**", "**") or die ('I cannot connect
to the database because: ' . mysql_error());
mysql_select_db ("**");
}
$dbname = "***";
$urlname = "parteditlists.php";
function drawtable2($id, $company, $division, $contact, $
When you view the html source is all of the text including the quotes there?
>>> "Lso ." <[EMAIL PROTECTED]> 06/25/03 12:06PM >>>
go ahead an try it. the quote is quite clearly in the database, but when i
try to put it back in a form field everything is cut off after the quote.
and i tried stri
im stupid. it works. so sorry. htmlentities did the trick. i had a chunk
of code lingering from a former attempt at fixing it that screwed it all up.
thanks again everyone.
Lucas
_
The new MSN 8: advanced junk mail protection
IL PROTECTED]>
Sent: Wednesday, June 25, 2003 9:58 AM
Subject: Re: [PHP] quotes
> On Thursday 26 June 2003 00:02, Chris Sherwood wrote:
> > well thats seems unlikely as I do it all the time..
> >
> > how ever I am not going to argue p's and q's ...
> > if i
--- "Lso ." <[EMAIL PROTECTED]> wrote:
> ok i see why i didnt work but i dont know why.
>
> can anyone tell me why this works:
>
>
>
> but this doesn't:
>
> echo "";
It works for me, at least it does what I think you mean it to do. I'm not a big
fan of single-quoted attributes in HTML, but it
On Thursday 26 June 2003 01:33, Chris Sherwood wrote:
> I dont know what you were thinking but this is in a php list
>
> when you render html with php and you want double quotes in the html you
> MUST escape them
>
> otherwise you dont use double quotes
Sorry, it was the context of the thing:
>
LOL my mistake jason I should have paid more attention
- Original Message -
From: "Jason Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 25, 2003 12:26 PM
Subject: Re: [PHP] quotes
> On Thursday 26 June 2003 01:33, Chris Sherwood wrot
> -Original Message-
> From: Lso . [mailto:[EMAIL PROTECTED]
> Sent: 25 June 2003 18:32
>
> ok i see why i didnt work but i dont know why.
>
> can anyone tell me why this works:
>
>
>
> but this doesn't:
>
> echo "";
Because by default htmlentities will convert double quotes but n
> $myVal = "
> *trying to accomplish putting " qotes around my string values*
Try
$myVal = "";
or
$myVal = '';
- Darryl
--
Darryl Friesen, B.Sc., Programmer/Analyst[EMAIL PROTECTED]
Education & Research Technology
Then you need to escape your double quotes:
$myVal = "";
or use the single quote equivilant:
$myVal = '';
or (PHP4 only)
$myVal = <<
EOT;
Jeremy
Jeremy Brand :: Sr. Software Engineer :: 408-245-9058 :: [EMAIL PROTECTED]
http://www.JeremyBrand.com/Jeremy/Brand/Jeremy_Brand.html for more
-
Hello Karl,
This tutorial will be of use :
Using Strings:
--
http://www.zend.com/zend/tut/using-strings.php
In short, three ways come to mind :
$a = "";
$a = '';
$a = "";
Which wil
alot of people inside on escaping your double quotes, I dont, I use single
quotes, its nicer to read.
echo "\n";
echo "\n";
I find the prior easier to read. they both work 100% no quibles.
Chris Lee
Mediawaveonline.com
""Karl J. Stubsjoen"" <[EMAIL PROTECTED]> wrote in message
017b01c081a0$
, and hangovers to... suffering.
- Original Message -
From: "Chris Lee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 19, 2001 9:51 AM
Subject: Re: [PHP] Quotes and Values
> alot of people inside on escaping your double quotes, I dont,
On Sat, 2011-02-26 at 14:41 +0530, Ashim Kapoor wrote:
> Dear All,
>
> I am learning PHP by reading a book. My query pertains to the following
> lines : -
>
> $form_str = <<< EOFORMSTR
> WIDTH=621>
>
> SRC=../images/spacer.gif>
>
>
> .
>
> My query is that is it true that we don't need
The quotes you mention are in the HTML, nothing to do with PHP. HTML will
work without the quotes in most cases (unless there's a space in the value
for the attribute) but the quotes are required in XHTML and will cause
unexpected results.
Can you elaborate on the XHTML part? Do you mean they are
On Sat, 2011-02-26 at 16:27 +0530, Ashim Kapoor wrote:
> The quotes you mention are in the HTML, nothing to do with PHP. HTML will
> work without the quotes in most cases (unless there's a space in the value
> for the attribute) but the quotes are required in XHTML and will cause
> unexpected resu
Yes, in HTML the quotes are optional, but they are required in XHTML
documents:
> http://www.w3.org/TR/xhtml1/diffs.html#h-4.4
>
Ok Thank you,
Ashim
From: Ashim Kapoor
> From Ashley Sheridan
>> The quotes you mention are in the HTML, nothing to do with PHP. HTML
will
>> work without the quotes in most cases (unless there's a space in the
value
>> for the attribute) but the quotes are required in XHTML and will
cause
>> unexpected results.
>
>
At 8:23 AM -0500 2/28/11, Bob McConnell wrote:
From: Ashim Kapoor
From Ashley Sheridan
The quotes you mention are in the HTML, nothing to do with PHP. HTML
will
work without the quotes in most cases (unless there's a space in the
value
for the attribute) but the quotes are required in X
I am trying to get the following to work:
"Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
Netid is a string type.
No matter where of if I put the quotes, I still get array[phpCAS] not the
value.
Maybe try this :
$q = 'Select Netid from Users where Netid = "' . $_SESSION[p
You can only interpolate ONE level of array or object indirection in a string.
WORKS:
"... $foo[x] ..."
"... $foo->x ..."
FAILS:
"... $foo[x][y] ..."
"... $foo->x->y ..." //almost for sure it fails, never tried...
You can use curly braces in side a string to evaluate something:
WOR
On Wed, Jan 14, 2009 at 11:17 AM, MikeP wrote:
> Hello,
> I am trying to get the following to work:
> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
> Netid is a string type.
> No matter where of if I put the quotes, I still get array[phpCAS] not the
> value.
> If there is anyth
""Eric Butera"" wrote in message
news:6a8639eb0901140825h1d603d01i3ffcce919dca6...@mail.gmail.com...
> On Wed, Jan 14, 2009 at 11:17 AM, MikeP wrote:
>> Hello,
>> I am trying to get the following to work:
>> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
>> Netid is a string
On Wed, Jan 14, 2009 at 11:34 AM, MikeP wrote:
>
> ""Eric Butera"" wrote in message
> news:6a8639eb0901140825h1d603d01i3ffcce919dca6...@mail.gmail.com...
>> On Wed, Jan 14, 2009 at 11:17 AM, MikeP wrote:
>>> Hello,
>>> I am trying to get the following to work:
>>> "Select Netid from Users where
Thanks, Thats the kind of help I was looking for.
Mike
wrote in message
news:20090114162142.65944.qm...@o2.hostbaby.com...
>
> You can only interpolate ONE level of array or object indirection in a
> string.
>
> WORKS:
> "... $foo[x] ..."
> "... $foo->x ..."
>
> FAILS:
> "... $foo[x][y] ..."
> "
> Doesn't anybody use prepared statements these days? It even helps MySQL
> AND Oracle cache an execution plan...
Forgive me if I'm wrong, but:
Caching an execution plan for a prepared statement that is run only once in the
script is just overhead, no?
Or can it actually re-use the same
On Wed, Jan 14, 2009 at 8:41 AM, MikeP wrote:
> Thanks, Thats the kind of help I was looking for.
> Mike
> wrote in message
> news:20090114162142.65944.qm...@o2.hostbaby.com...
> >
> > You can only interpolate ONE level of array or object indirection in a
> > string.
> >
> > WORKS:
> > "... $foo
On Wed, Jan 14, 2009 at 9:11 AM, wrote:
>
> > Doesn't anybody use prepared statements these days? It even helps MySQL
> > AND Oracle cache an execution plan...
>
> Forgive me if I'm wrong, but:
>
> Caching an execution plan for a prepared statement that is run only once in
> the script is just ov
On Wed, 2009-01-14 at 11:17 -0500, MikeP wrote:
> Hello,
> I am trying to get the following to work:
> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
> Netid is a string type.
> No matter where of if I put the quotes, I still get array[phpCAS] not the
> value.
> If there is anyt
"Ashley Sheridan" wrote in message
news:1231962521.3613.13.ca...@localhost.localdomain...
> On Wed, 2009-01-14 at 11:17 -0500, MikeP wrote:
>> Hello,
>> I am trying to get the following to work:
>> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'"
>> Netid is a string type.
>> No
On Wed, 2009-01-14 at 15:24 -0500, Frank Stanovcak wrote:
> "Ashley Sheridan" wrote in message
> news:1231962521.3613.13.ca...@localhost.localdomain...
> > On Wed, 2009-01-14 at 11:17 -0500, MikeP wrote:
> >> Hello,
> >> I am trying to get the following to work:
> >> "Select Netid from Users wher
It is over head, but it caches the execution plan for multiple runs of the
script. So different users with different data will use the same cached
query on the database. Saving processing time. It also prevents SQL
injection on the fly because you are indicating what data type each place
holde
It is over head, but it caches the execution plan for multiple runs
of the
script. So different users with different data will use the same cached
query on the database. Saving processing time. It also prevents SQL
injection on the fly because you are indicating what data type each
place
Evan Nemerson wrote:
Is anyone aware of a way to get double quotes in the php.ini file? For
instance, I'd like to be able to set error_prepend_string to "" (which doesn't work).
The only work-around I can think of is doing ini_set()'s in an
auto_prepend_file, and that's not acceptable for my pu
Evan Nemerson wrote:
>Is anyone aware of a way to get double quotes in the php.ini file? For
>instance, I'd like to be able to set error_prepend_string to "color=\"#ff\">" (which doesn't work).
>
>The only work-around I can think of is doing ini_set()'s in an
>auto_prepend_file, and that's n
On Tuesday 28 October 2003 11:29 pm, Rolf Brusletto wrote:
> Evan Nemerson wrote:
> >Is anyone aware of a way to get double quotes in the php.ini file? For
> >instance, I'd like to be able to set error_prepend_string to " >color=\"#ff\">" (which doesn't work).
> >
> >The only work-around I can
* Thus wrote Evan Nemerson ([EMAIL PROTECTED]):
> On Tuesday 28 October 2003 11:29 pm, Rolf Brusletto wrote:
> > Evan Nemerson wrote:
> > >Is anyone aware of a way to get double quotes in the php.ini file? For
> > >instance, I'd like to be able to set error_prepend_string to " > >color=\"#ff\">
Curt Zirzow wrote:
Try reversing the quotes:
error_prepend_string = "";
Not valid XHTML (not sure if it's even valid HTML).
--
The above message is encrypted with double rot13 encoding. Any unauthorized attempt
to decrypt it will be prosecuted to the full extent of the law.
--
PHP General Ma
On Tuesday 28 October 2003 11:10 pm, Leif K-Brooks wrote:
> Curt Zirzow wrote:
> >Try reversing the quotes:
> > error_prepend_string = "";
>
> Not valid XHTML (not sure if it's even valid HTML).
Yup. I've got the highlight_file thing from earlier working with ini entries,
and I'm wondering how pe
On Tuesday 28 October 2003 10:46 pm, [EMAIL PROTECTED] wrote:
> Evan Nemerson wrote:
> >Is anyone aware of a way to get double quotes in the php.ini file? For
> >instance, I'd like to be able to set error_prepend_string to " >color=\"#ff\">" (which doesn't work).
> >
> >The only work-around I c
Hi,
On Wed, 29 Oct 2003 02:10:49 -0500
Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> Curt Zirzow wrote:
>
> >Try reversing the quotes:
> > error_prepend_string = "";
> >
> >
> Not valid XHTML (not sure if it's even valid HTML).
Why not?
- E -
__
D
On Tuesday 28 October 2003 11:59 pm, - Edwin - wrote:
> Hi,
>
> On Wed, 29 Oct 2003 02:10:49 -0500
>
> Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> > Curt Zirzow wrote:
> > >Try reversing the quotes:
> > > error_prepend_string = "";
> >
> > Not valid XHTML (not sure if it's even valid HTML).
>
> Why
- Edwin - wrote:
Why not?
Because that's what the standard says.
--
The above message is encrypted with double rot13 encoding. Any unauthorized attempt
to decrypt it will be prosecuted to the full extent of the law.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: htt
On Wed, 29 Oct 2003 03:22:54 -0500
Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> - Edwin - wrote:
>
> >Why not?
> >
> >
> Because that's what the standard says.
Interesting. Where?
- E -
__
Do You Yahoo!?
Yahoo! BB is Broadband by Yahoo!
http://bb.
On Tue, 28 Oct 2003 22:05:56 -0800
Evan Nemerson <[EMAIL PROTECTED]> wrote:
> On Tuesday 28 October 2003 11:59 pm, - Edwin - wrote:
> > Hi,
> >
> > On Wed, 29 Oct 2003 02:10:49 -0500
> >
> > Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> > > Curt Zirzow wrote:
> > > >Try reversing the quotes:
> > > >
- Edwin - wrote:
Interesting. Where?
www.w3.org
--
The above message is encrypted with double rot13 encoding. Any unauthorized attempt
to decrypt it will be prosecuted to the full extent of the law.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/u
On Wednesday 29 October 2003 12:30 am, - Edwin - wrote:
> On Tue, 28 Oct 2003 22:05:56 -0800
>
> Evan Nemerson <[EMAIL PROTECTED]> wrote:
> > On Tuesday 28 October 2003 11:59 pm, - Edwin - wrote:
> > > Hi,
> > >
> > > On Wed, 29 Oct 2003 02:10:49 -0500
> > >
> > > Leif K-Brooks <[EMAIL PROTECTED]>
* Thus wrote Leif K-Brooks ([EMAIL PROTECTED]):
> Curt Zirzow wrote:
>
> >Try reversing the quotes:
> >error_prepend_string = "";
> >
> >
> Not valid XHTML (not sure if it's even valid HTML).
Sure it is, the quote character can be either ' or " and will
validate perfectly fine at w3c. now the fo
On Wed, 29 Oct 2003 03:29:13 -0500
Leif K-Brooks <[EMAIL PROTECTED]> wrote:
> - Edwin - wrote:
>
> >Interesting. Where?
> >
> >
> www.w3.org
? Sorry, *won't* find it there...
In fact, a quick Google search gives you this:
http://www.w3.org/TR/REC-html32
[quote]
Attribute values can be quo
On Tue, 28 Oct 2003 22:28:12 -0800
Evan Nemerson <[EMAIL PROTECTED]> wrote:
> On Wednesday 29 October 2003 12:30 am, - Edwin - wrote:
> > On Tue, 28 Oct 2003 22:05:56 -0800
> >
> > Evan Nemerson <[EMAIL PROTECTED]> wrote:
> > > On Tuesday 28 October 2003 11:59 pm, - Edwin - wrote:
> > > > Hi,
> >
Ed Curtis wrote:
I'm having some difficulty with quotation marks, both single and double,
input via a textarea in a form.
Here's and example of text.
Trying out the "Special Character" thing.
Page 1 is the form.
Page 2 is the data shown back to the user.
original POST data is not touched. NO strips
On Fri, 16 Jul 2004, John W. Holmes wrote:
> Let's say you have $_POST['text'] from the user.
>
> To display the value back to the user with magic_quotes_enabled, you'd
> do this:
>
> echo htmlentities(stripslashes($_POST['text']));
>
> To put the value into a hidden form element, you'd do this
On Fri, 16 Jul 2004 11:58:55 -0500 (EST), Ed Curtis <[EMAIL PROTECTED]> wrote:
>
>
>
> On Fri, 16 Jul 2004, John W. Holmes wrote:
>
> > Let's say you have $_POST['text'] from the user.
> >
> > To display the value back to the user with magic_quotes_enabled, you'd
> > do this:
> >
> > echo htmle
On Fri, 16 Jul 2004, Justin Patrin wrote:
> This is why he said: "Since you seem to have magic_quotes_gpc enabled,
> you can put the value directly into your query."
>
> You shouldn't use htmlentities when putting it into the DB. Use it
> when displaying the text.
I tried it both ways and it on
Ed Curtis wrote:
On Fri, 16 Jul 2004, Justin Patrin wrote:
This is why he said: "Since you seem to have magic_quotes_gpc enabled,
you can put the value directly into your query."
You shouldn't use htmlentities when putting it into the DB. Use it
when displaying the text.
I tried it both ways and i
On Fri, 16 Jul 2004, John W. Holmes wrote:
> Ed Curtis wrote:
> > On Fri, 16 Jul 2004, Justin Patrin wrote:
> >>This is why he said: "Since you seem to have magic_quotes_gpc enabled,
> >>you can put the value directly into your query."
> >>
> >>You shouldn't use htmlentities when putting it into
> Ok then, I want to know how to do it the right way but just using
> $_POST['text'], as stated before, in my query still cuts off the text at
> the quote.
>
> While passing this field between pages I don't do anything to it but when
> I want to show it to the user I would use stripslashes($_POST[
hi Jens,
PHP automatically escape the dangerous characters from the user input on
form submissions.
there are several ways to escape that back :
stripslashes()
urlencode()
htmlentities()
read about these, they will soon become your solutions.
Sincerely,
Maxim Maletsky
Founder, Chief Deve
Ah yeah, thx everybody
That does it and i am a littel pissed since i can go over alllooott of code
now to insert that. BATCH here i come!
Jens
on 12.03.2001 17:49 Uhr, PHPBeginner.com at [EMAIL PROTECTED]
wrote:
> hi Jens,
>
> PHP automatically escape the dangerous characters from the user in
It's a feature of PHP that it automatically escapes data submitted in
PUT/GET/etc.
It's nice in that it adds to how secure PHP code is, but it can be a hassle.
Not sure if there is a function which removes escape characters will leaving
normal backslashes alone. If you REALLY need to turn it off
> It's a feature of PHP that it automatically escapes data submitted in
> PUT/GET/etc.
It didn't seem to be happening with POST which is why I thought it odd, but
that probably means I didn't test properly :-)
> It's nice in that it adds to how secure PHP code is, but it can be a
hassle.
Out of
Hi Mark,
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to
I saw an article just a few days ago on "Hacking PHPNuke" that was an
excellant example of how the escape GPS thing saved a program from a major
security hole caused by a very minor oversite in less than 0.01% of the
code. Can't remember the name of the site...I think it was linked from
TheRegiste
> Anyway, it's not a big thing if you're _really_ stringent about how you
> check every single variable which is used in a database query,
> system/passthru/exec, or eval command, and your checking methods are
> flawless, but otherwise it's just best to go to the trouble of hacking
> around the in
Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query("SELECT * FROM table WHERE username='$username' AND
password='$password'");
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters
> Anyway, it's not a big thing if you're _really_ stringent about how you
> check every single variable which is used in a database query,
> system/passthru/exec, or eval command, and your checking methods are
> flawless, but otherwise it's just best to go to the trouble of hacking
> around the in
On Aug 5, 2010, at 10:10 PM, Rick Dwyer wrote:
> Hi List.
> I've mentioned before that I am both just beginning to learn PHP AND I have
> inherited a number of pages that I'm trying to clean up the w3c validation on.
>
> Something that confuses me is how the code on the page is written where in
On Thu, Aug 5, 2010 at 7:10 PM, Rick Dwyer wrote:
> Hi List.
> I've mentioned before that I am both just beginning to learn PHP AND I have
> inherited a number of pages that I'm trying to clean up the w3c validation on.
>
> Something that confuses me is how the code on the page is written where i
On Aug 5, 2010, at 10:43 PM, Michael Shadle wrote:
> On Thu, Aug 5, 2010 at 7:10 PM, Rick Dwyer wrote:
>> Hi List.
>> I've mentioned before that I am both just beginning to learn PHP AND I have
>> inherited a number of pages that I'm trying to clean up the w3c validation
>> on.
>>
>> Somethin
On Thu, Aug 05, 2010 at 10:10:26PM -0400, Rick Dwyer wrote:
> Hi List.
> I've mentioned before that I am both just beginning to learn PHP AND I have
> inherited a number of pages that I'm trying to clean up the w3c validation on.
>
> Something that confuses me is how the code on the page is writ
1 - 100 of 125 matches
Mail list logo
