I wasn't exactly sure how to word this, but essentially what I need is so when I send a SELECT query in MySQL, it doesn't pay attention to the escape character ( \ ) in the search. For example, if the name I am searching for is foo'bar and I send foo\'bar to the server, is there a way to make the server find foo'bar? This is the MySQL query currently:
function escape_data($data) {
$data = mysql_escape_string (trim($data));
$data = strip_tags($data);
return $data;
}
$champ1 = escape_data($_GET['champ1']);
foreach($db->query("SELECT * FROM champs WHERE name = '$champ1'") as $row) {
$role_verify_1 = $row[$role];
}
the only way I can get foo'bar to return is if I change it to foo\'bar in the MySQL database and I would like not to if it is possible.
The function you want is stripslashes before mysql_real_escape_string, however your real concern should be where the slashes are actually coming from - it looks like you might have magic quotes turned on. This is deprecated - check the link for instructions on disabling it.
The Syntax at PHP requires that.
For example;
name = '$champ1'
Here you have a variable in ' tags. But that variable includes ' inside like foo'bar, its turn to that.
name = 'foo'bar'
as you see php can't understand what is going on there. So it need to clear that problem like adding before ' an \. And inserted item will have slashes before aphostropes.
As a solution you can delete the backslashes before you echo the variable.
$theVariable = str_replace("\", "", $theVariable);
Or you can use PHP's upper version's functions. like stripslashes() before you insert your data.
Good luck.
Related
The code below takes a string protects its using mysqli_real_escape_string.
but not geting expected output working fine without the mysqli_real_escape_string but need that for protection.
$str = mysqli_real_escape_string($con,$_POST['str']);
/*
get each word in the sentence using for-loop then
*/
switch($eachword){
case ':)': $eachword = '<img src="smile.gif">';
break;
/*
and so forth and so on
*/
}
$newstr .= $eachword;
//for-loop ends
**mysqli_query($con,"insert into tbl(comment)VALUES($newstr)");**
e.g
input : $str = "here i am :) fine";
expected output : $newstr="here i am <img src="smile.gif"> fine";
curernt output : $newstr="here i am :) fine";
UPDATE
NOW everything works fine. Thanks to supporters.
You are running mysqli_real_escape_string over some data immediately before … not using at all in your code sample. So it doesn't make any sense.
Use mysqli_real_escape_string immediately before inserting the variable into a string of SQL and nowhere else. (Better yet, use prepared queries and bound arguments).
If you are trying to defend against XSS, then use htmlspecialchars immediately before inserting a variable into a string of HTML.
Don't use either before comparing user input to some text.
UPDATED
Note that you must be already connected to a database, for mysqli_real_escape_string to work, because it takes into consideration, the default character set of your selected database. Are you connecting to a database before using it?
And in your question, I don't even see a query. There will be no advantage in using mysqli_real_escape_string unless you're going to insert the passed string into a database.
Now I see that you're replacing smileys with tag, then you're inserting it into a database. However, if I were you, I would do the following :
function ParseSmiley($str)
{
$smileys = array(
':)' => "<img src='smile.gif' />" //Put all your smileys in this array
);
$parsed_string = strtr($str, $smileys);
return $parsed_string;
}
When you're inserting your content into database, do not convert it into tags. Instead, when you display it, use the function ParseSmiley()
$parsed_string = mysqli_real_escape_string($con,$_POST['str']);
mysqli_query($con,"INSERT INTO tbl (comment) VALUES ($parsed_string)");
Then when you want to display the content, let's say the string is in $content, display it like this :
echo ParseSmiley($content);
I am learning PDO after the many people telling me to do so. However in updating one of my scripts, PDO is causing me a problem that I'm not sure how to fix.
My problem is a user will input the title to the website. Say its "Smith's Inventory".
Since the whole PDO switch, it is saved in the db as "Smith\'s Inventory". Which is output in various places on my website. Such as the header, the html title, and the settings text box. If you click save again with \', then you get \\', and so on.
I realize why this is done, but how can it be fixed?
Here is the instert code:
foreach ($_POST as $key => $value)
{
$sql = $dbh->prepare("UPDATE settings set value=? where variable=?");
$sql->bindParam(1, $value);
$sql->bindParam(2, $key);
$sql->execute();
}
echo '<h2><font color=green>Saved</font></h2>';
Looks like you are double escaping the data.
The most likely reasons for this are:
Your PHP install has magic quotes enabled — best to turn them off
You are using something like mysql_real_escape_string and prepared statements with placeholders — use only the latter
I've had this problem before, it was due to PHP magic quotes. PHP automatically inserts a slash to escape 'risky' characters in order to prevent sql injection.
You need to either disabled magic quotes on your php install or use the stripstashes function just before you output it.
http://php.net/manual/en/security.magicquotes.disabling.php
http://php.net/manual/en/function.stripslashes.php
You can read about magic quotes here:
http://www.tizag.com/phpT/php-magic-quotes.php
You can use stripslashes on the PHP side.
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
<?
//SQL SELECT HERE
$result = mysql_query($sql);
$options = '';
while ($row = mysql_fetch_array($result)) {
$options .= '<option>Data: ' . $row['data'] .'</option>';
}
?>
$("#multiSelect").html("<?=$options?>");
The above is a PHP query inlined in a javascript function. It's goal is to populate a multiselect. The issue is that when $row['data'] contains something with double quotes jQuery doesn't like it and complains. When I remove the row containing double quotes it works fine.
How can I get around this? Is this normal behavior of jQuery.
Try to addslashes: http://php.net/manual/en/function.addslashes.php
It's because your call is being coming out as something like:
$("#multiSelect").html(""Hello"");
Most programming languages will have problems with that - they assume that the first quote you're adding ends the string you're passing in, and that the next text should be a valid piece of code.
You can get around it by escaping the quotes, removing them, or substituting them to something else:
$("#multiSelect").html("<?=addslashes($options)?>");
$("#multiSelect").html("<?=str_replace('"', '', $options)?>");
$("#multiSelect").html("<?=str_replace('"', '\'', $options)?>");
Depending on what the input text is likely to be.
WHY WHY WHY would you build the options with the code behind and than set it with jQuery? Why can't PHP just set it itself?
You need to escape the quotes with a \
"Man it is \"hot\" in here"
So I was just testing out the mysql_real_escape(); function and what that does is puts a \ before the ". The when the content is echoed back out onto the page I just get content with \'s before any ". So let's say I posted """""""""""""""""""""""""""" all I get is \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\" echoed back.
Is there some code to remove the \ when it's echoed back onto the page?
By adding those slashes, mysql_real_escape_string just converts the string into the input format for the database. When the data comes out of the database, it should come out without any of the slashes. You shouldn't need to remove them yourself.
Using stripslashes like others are suggesting would do the opposite of mysql_real_escape_string in most cases, but not all of them, and you shouldn't rely on it for that purpose. Mind you, if you find yourself needing to use it for this, you've already done something else wrong.
stripslashes()
http://php.net/manual/en/function.stripslashes.php
You don't need to unescape, ie. remove the slashes - they don't get inserted into the DB. They are only for passing data to MySQL, they are not written to the db. When you SELECT the data, you won't see the slashes.
Do you know how mysql_real_escape() works. Hint: It allows to encode string for SQL usage. For example mysql_query('SELECT * FROM users WHERE name="'.mysql_real_escape_string($name).'"');. It can be used to insert string which won't escape the quotes for example like " or 1=1 -- " making SELECT * FROM users WHERE name="" or 1=1. You have to activate it just before inserting it database.
When you will read this data, slashes won't exist in any way.
Actually, looking at what is below, I will make this answer, not comment...
i am using rawurlencode($url_variable) while passing to a script..
when i receive the variable in the script ,before passing this variable to mysql ,i was doing mysql_real_escape_string . now the problem is like when there is a variable like
$url_variable = "Off-St.Mark's-Road" ...after i do mysql_real_escape_string it become slike
Off-St.Mark\\'s-Road .
which is creating a problem in mysql query ...
how i get over this...rawurlencode is necessary to pass variables to the script and i want to do mysql_real_escape_string to make the data safe...
Looks like magic_quotes_gpc is turned on on your server, try this:
if (get_magic_quotes_gpc())
{
$text = stripslashes($your_var);
}
$text = mysql_real_escape_string($text);