Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
How can I fix contractions in php so they do not show up with the backslash? It is showing up with the slash in my iOS and android applications, so I have checked the backend but I am not sure what to do.
I'm guessing you have magic_quotes enabled to your server. That mean's if you $_POST some data, it auto*magic*ally adds quotes to your $_POST data. (It sucks, i know, that's why it's deprecated by now). That means if your data is going into your database from a php $_POST that's the source of the problem.
Turn off that thing http://php.net/manual/en/security.magicquotes.disabling.php and then clear your already "magic-quoted" data in your MYSQL database by doing a REPLACE
UPDATE your_content_table SET your_content_column = REPLACE(your_content_column, '\\\'', '\'');
This way, your problems will go away and never happen again.
Data that resides in database must be in pure form, without any escaping. The escaping prior to display is not something for the database to do, its a display problem and you need to handle that wherever you display something.
If the above is not the case, then just perform stripslashes($yourstring) to get a string without that backslash. But this is just a bandaid, you need to fix the problem at its source.
You can use php's function stripslashes:
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
http://fr2.php.net/manual/en/function.stripslashes.php
EDIT
As per #Quentin\'s comment below, better if the slashes weren't added in the first place.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?
edit: This question is different to the suggested question, because I'm not using sql.
edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.
You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php
First of all: use prepared statments for your database storing, updating etc etc...
Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.
Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as #user2182349 pointed out.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
can anyone help me to solve my query?
I want to execute php unlink command which is store in DB.
For example:
?php echo eval("?>".unlink('abc.txt')."<?") ?>
Please
?> is a closing PHP tag, and <? is a short open PHP tag, so at a minimum, you have those backwards.
In your code, you don't need these PHP tags at all. They are meant for the parser, not for eval(), which is already in PHP mode.
The best thing to do is not store this sort of thing in your database. I can't think of a single reason why you would put PHP code in your database values. You should instead have that file name, and then run a for loop over the results to unlink.
Basically, your entire solution is broken. You can start by removing those backwards PHP tags and it will work... but is that really what you want? Probably not.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm stuck with this problem which seems relatively simple. I have a table full of product id numbers stored as variable $partnumber. When processing changes in inventory I need to know if an entire $partnumber string is within another $partnumber string.
For example, I need to know if PRA-LGL70-B2-BKWH-EC-L69A7330 exists within other variable strings such as the ones below.
PRA-LGL70-B2-BKWH-EC-L69A7330
PRA-LGL70-B2-BKWH-EC-L69A7330-L6901
PRA-LGL70-B2-BKWH-EC-L69A7330-L6901-L5156
There are tens of thousands of these partnumbers in a table and I've been told that preg_match might be too slow. Unfortunately, I cannot change the actual data so the only potential delimiter is "-". I'm sorry that I don't have any source code because I just started on this problem. Can anyone point me in right direction?
Without more details it is hard to know the requirements of your problem. As mentioned in the comments, it is probably better to do this in the database. But to directly answer your question - PHP - Searching for a variable match within another variable use strpos():
$partnumber = 'PRA-LGL70-B2-BKWH-EC-L69A7330-L6901';
$search_for = 'PRA-LGL70-B2-BKWH-EC-L69A7330';
if (strpos($partnumber, $search_for)!==false)
echo "Match found";
Note: stripos() will do the same thing, but will not consider case.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How can I submit any kind of symbols to php and update it into my database tables? When I use some symbols ('!##$%^&*()_+=), it does not update the database table.
Can anybody help me?
You can use the htmlspecialchars() in which you can find the documentation here.
http://us.php.net/htmlspecialchars
Use function htmlentities()
The values will not be stored in the database as they are like ('!##$%^&*()_+=) but this function will change your " to " and other characters respectively.
Keep aware yourself of SQL Injection and XSS. If you do not filter your inputs properly then your code will be vulnerable to script kiddies.
You could use the htmlentities() function. It's the best solution I think.
If you really really don't want to use this function for some reason you can always change the column type to text instead of varchar.
Edit: sorry for using the wrong function. You guys are right. Maybe mysql_real_escape_string() does the job but probably it would only take care of the quotations.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Are there any known points to be careful about buffer overruns in PHP? Currently I take an email address from a form, run it through preg_match to check it's only a single address, call the mail function with it, and store another load of form data in a database using PDOStatement::bindValue().
Anything to worry about?
If you are asking if it's possible to write code in PHP that contains buffer overflow vulnerabilities, then the answer is no. You can't have those in PHP, it manages the memory for you and you can't directly alter the memory. The only scenario is that PHP itself has a (security) bug, which you can mitigate by keeping PHP up to date.
In addition to using preg_match to check for proper formatting, I wouldn't do anything with user input without checking its length first. I could probably come up with a 10,000 character string that would pass a simple formatting check.