You are not logged in.
Pages: 1
First, why are you using stripslashes, addslashes escapes (roughly, you should really be using mysql_real_escape_string()) special characters, mysql doesn't store the slashes, ergo, you don't stripslashes on the way out because there are none (if there are, you probably had magic_quotes_gpc turned on in the first place, the wisdom of that is left for another day).
Second, you havn't given anywhere near enough information to help you.
James Sleeman
Offline
I see; apologies for the lack of information, but there isn't really much else to add.
You could go here and fiddle with it, if you want.
http://www.coeleveld.nl//idb/admin.php
followed by:
http://coeleveld.nl/idb/admin.php?actio … t01&class=
Edit any of the items you want.
You can use the panels section to browse the PHP code (check out the 'script' class objects).
Should be quite straightforward.
I'll look into mysql_real_escape_string.
I found this:
===============================================
If anyone is using addslashes to escape strings before putting them in the database and thinks they should "upgrade" to mysql_real_escape_string because it is safer (as the instructions above seem to imply): if you read mysql's manual for the function that is being called by php, it says
--QUOTE
Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped. This function quotes the other characters to make them easier to read in log files.
ENDQOUTE--
So if you're using addslashes, which escapes single and double quote and backslashes, you're OK.
===============================================
http://nl2.php.net/mysql_real_escape_string
Guess I should upgrade to 'mysql_real_escape_string'...
Will look into things.
Regarding magic quotes (no idea what they're about and whether they should be on or off...):
http://coeleveld.nl/zzz.php
Cheers,
Harald
Offline
You should use mysql_real_escape_string instead of addslashes becase who knows if mysql will change in the future to need something else quoted.
You have magic_quotes_gpc turned on. This means that anything in $_GET/REQUEST/POST will already have slashes added to it, invisibly and automatically.
I strongly suspect it's a problem in your PHP, not us. Can you duplicate using the example code.
James Sleeman
Offline
I have removed addslashes/stripslashes.
I have also introduced mysql_real_escape_string when saving to MySQL.
Result: For title and content fields, special characters are lost. If I enter characters like single quotes or backslashes, afterwards, the fields are empty.
Disable Magic quotes ?
Offline
If you are escaping, and still have magic_quotes on, then you're going to be double escaping. Sounds also like you might not be using htmlspecialchars()/htmlentities() in the appropriate places.
James Sleeman
Offline
Note: title = input field, body = Xinha textbox:
View / List:
$title = stripslashes($row["strContentTitle"]);
$body = stripslashes($row["strContentBody"]);
Edit:
$title = htmlspecialchars(stripslashes($row["strContentTitle"]),ENT_QUOTES);
$body = stripslashes($row["strContentBody"]);
Save:
$title = mysql_escape_string($_REQUEST["title"]);
$body = mysql_escape_string($_REQUEST["body"]);
I have copied & pasted the following in the Edit form:
\ ' \\ '' ''' \' '\ '\' \\''\\ "aaa" a"
The view, edit and list parts of my web page display the contents properly:
\ ' \\ '' ''' \' '\ '\' \\''\\ "aaa" a"
After editing and saving with Xinha, the database records look like this:
title:
\\ \' \\\\ \'\' \'\'\' \\\' \'\\ \'\\\' \\\\\'\'\\\\ \"aaa\" a\"
body:
\\ \' \\\\ \'\' \'\'\' \\\' \'\\ \'\\\' <a href=\"file://\\\\\'\'\\\\\">\\\\\'\'\\\\</a> "aaa" a"
I am not sure if I would want things double quoted in the database, but this seems to be the only fool proof solution that at least is working properly.
My 2 cents:
addslashes, stripslashes, htmlspecialchars/entities, myslq_(real)_escape_string, urlencode, backquoting, single/double quotes, ENT_QUOTE, etc. is evil.
Note: I used single quotes in HTML as I don't like to have to backquote each and every " character in PHP. yes, I felt reckless...
I want my application to work regardless of Magic Quotes.
Any tips for a fool proof function that covers the transition from form field to database record and back ?
Offline
Ok, some PHP 101, this code (incomplete of course) shows how one might handle modifying a record of a database table..
<?php
// ... connect to database etc ...
// First, get rid of magic quotes if they were added in, magic quotes are evil
if(get_magic_quotes_gpc())
{
foreach(array_keys($_REQUEST) as $k)
{
if(!is_scalar($_REQUEST[$k])) continue;
$_REQUEST[$k] = stripslashes($_REQUEST[$k]);
}
}
// Now was the form submitted?
if(isset($_REQUEST['Submit']))
{
// Yes, lets update the data
mysql_query("UPDATE Blah SET FOO = '" . mysql_real_escape_string($_REQUEST['FOO'])
. "' WHERE BlahID = " . ((int) $_REQUEST['BlahID']));
}
// We presume we were given BlahID on the request, lets get the value
$q = mysql_query("SELECT FOO From Blah where BlahID = " . ((int) $_REQUEST['BlahID']));
$r = mysql_fetch_assoc($q);
$FOO = $r['FOO'];
// Lets display a form, if FOO was submitted already, lets put that in the value for example sake
?>
<form action="<?php echo $PHP_SELF ?>" method="post">
<input type="hidden" name="BlahID" value="<?php echo htmlspecialchars($_REQUEST['BlahID']) ?>" />
<textarea name="FOO"><?php echo htmlspecialchars($FOO) ?></textarea>
<input type="submit" name="Submit" value="Submit" />
</form>See how we stripslashes from the request variables if magic quotes has been turned on (the procedure above is just a trivial example, you should use a better one because REQUEST could contain arrays of values of course), we escape the string value being put into the SQL, and we cast the BlahID to an int to be sure that we don't put in anything nasty from the user. Then when writing out the form we use htmlspecialchars to "escape" the special characters both for the value="" attribute and inside the textarea, which are both #PCDATA (see HTML specification).
Here is a better function for cleaning up after magic quotes does it's dirty business...
function clean_magic_quotes()
{
set_magic_quotes_runtime(0);
if(get_magic_quotes_gpc())
{
// trigger_error('Magic Quotes GPC is on, cleaning GPC.', E_USER_NOTICE);
$to_clean = array(&$_GET, &$_POST, &$_REQUEST, &$_COOKIE);
while(count($to_clean))
{
$cleaning =& $to_clean[array_pop($junk = array_keys($to_clean))];
unset($to_clean[array_pop($junk = array_keys($to_clean))]);
foreach(array_keys($cleaning) as $k)
{
if(is_array($cleaning[$k]))
{
$to_clean[] =& $cleaning[$k];
}
else
{
$cleaning[$k] = stripslashes($cleaning[$k]);
}
}
}
}
}James Sleeman
Offline
Many thanks for taking the time & effort to explain some of these things. The combination of magic quotes, use of single/double quotes, backquoting, HTML special character conversion, etc is quite a challenge to overcome / obvious pitfall. I will look into your script a.s.a.p. If anyone has encountered these difficulties before and has a 100% complete solution, I'd be much obliged.
Cheers & many thanks for your help,
Harald
Offline
Got it.
Some tips for newbies (like me):
Xinha is a WYSIWYG HTML editor.
You do your desktop publishing stuff on the one side (insert images, paste formatted text, etc).
On the other side Xinha then outputs HTML compliant code under the hood.
Now, with the examples James posted earlier, you can build an 'edit form' that is:
a) independent of (the evil) Magic Quotes PHP setting.
b) SQL safe; all special characters are nicely backquoted using mysql_real_escape_string.
You could also create View, List or what have you HTML forms that display the contents of these records.
When displaying Xinha data, you should be fine.
If however, just like me, you have some other text fields like 'title' or 'author' and in the database you wish to store the literal text, without HTML formatting (like me), you have to take special care that the text is formatted properly in your HTML source code. So before displaying a 'raw' text string containing ' or " or \ characters, you might want to parse it through htmlspecialchars, or better, htmlentities. You can even fiddle with the quotes behaviour (ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES).
In the end, you will find out that for htmlspecialchars/htmlentities:
a) the quotes behaviour is irrelevant.
b) it does not convert whitespaces; text with multiple whitespaces appears as having only 1 whitespace.
I used the following function to parse all my field data used in a 'view' or 'list' form that is not managed by Xinha (because Xinha is goooood).
function text2html($string, $quote_style=ENT_COMPAT)
{
htmlentities($string,$quote_style);
$string = str_replace(" ", " ", $string);
return $string;
}
===
One small remark: I am not sure if I should run "clean_magic_quotes" only on my edit form or in any form where I use $_REQUEST["var"] ? Or perhaps do store the contents of these fields as HTML encoded text ? Naaah; would be annoying to read in phpmyadmin, or to reuse if ever in another app. For non-textbox text fields I would like to contain the literal text. Very puzzling, all this...
Last edited by c0 (2005-11-28 16:37:34)
Offline
When I am developing in PHP, I do it in my own framework. The first thing my framework does, on every request, is clean_magic_quotes(). Reason is simple, I don't want PHP silently ("magically") changing my data by adding slashes to it, or you get into situations like these where you don't know what is escaped and whats not and wether you need to strip or add or ....
This is just one of the reasons that magic_quotes_gpc is probably going to be removed for PHP 6 :-)
James Sleeman
Offline
Pages: 1