I have textarea and i store it in mysql.
some special below when i up to mysql and load it to my area working well
!##$%^&*()_+-=~<>?{}[]|*-+/:;.,"`
(enter) character done with upload to mysql but not to reload. I try to reload with
str_replace("\n", "\\n",$string);
and it working well
When i up to mysql some special below characters not working
\'
I try typing double character above it work for upload to mysql but not to reload
typing '' to mysql ' but i want typing ' to mysql '
How can i work with some error charactor above (up and reload) with best way. thanks
Update my way
When i up to mysql i using
addslashes($string)
and when i reload i using
str_replace("\n", "\\n",addslashes($string))
It's done with my case thanks all
Try htmlentities with ENT_QUOTES
Also, "\n" is a one char. You have to replace it with your code. But also you must do back convert when saving.
http://www.php.net/manual/en/function.htmlentities.php
echo htmlentities($str, ENT_QUOTES);
might work but subject to mysql escaping, so a possibly better solution
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
/.htaccess
php_value magic_quotes_gpc off
will prevent php auto-adding the slashes, you can then add them in sql with
mysql_real_escape_string()
in your sql statement
and removing them upon read [for textbox] with
stripslashes()
http://www.php.net/manual/en/function.stripslashes.php
to display in a DIV you'd have to htmlentities() as explained above
Related
I have some question about saving html code in mysql database
every time when I put the charter " ' " in the database it changes to " / ".
Example:
somthing like that
<p>That's my name</p>
After saving it look like this:
<p>That\'s my name</p>
what can i do?
thank u all
Use parameterized queries to escape data going into the database
Use nothing else to escape data going into the database (otherwise you will double escape which can use this problem)
Do not use mysql_real_escape_string
Do not use addslashes
etc
Do not escape data coming out of the database (since that will cause this problem)
Make sure magic quotes are disabled (since having them turned on will escape data going into and out of the database and cause this problem).
You are using addslashes like escape functions in your code.
addslashes() — Quote string with slashes - http://php.net/manual/en/function.addslashes.php
stripslashes() — Un-quotes a quoted string - http://php.net/manual/en/function.stripslashes.php
Use stripslashes to remove '\' from HTML data. Actually (') is used define string in MySql, so it ecaspe it (by putting \ in-front) in order to avoid any unintentional use.
For example I want to store the String "That's all". MySQL automatically escapes the ' character. How do I echo that String from the database using php but remove the \ in front of escaped characters like \' ? I would also like to preserve other formatting like new lines and blank spaces.
Have you tried stripslashes(), regarding the linebreaks just use the nl2br() function.
Example:
$yourString = "That\'s all\n folks";
$yourString = stripslashes(nl2br($yourString));
echo $yourString;
Note: \\ double slashes will turn to \ single slashes
You should probably setup your own function, something like:
$yourString = "That\'s all\n folks";
function escapeString($string) {
return stripslashes(nl2br($string));
}
echo escapeString($yourString);
There are also several good examples in the nl2br() docs
Edit 2
The reason your are seeing these is because mysql is escaping line breaks, etc. I am guessing you are using mysql_* functions. You should probably look into mysqli or PDO.
Here is an example:
$yourString = "That's all
folks";
echo mysql_escape_string($yourString);
Outputs:
That\'s all\r\n folks
If you use prepared statements, those characters will not be escaped on insert.
Use stripslashes() to remove slashes if you cannot avoid adding slashes on input.
At first, magic_quotes_gpc escapes the character like ' or ". You can also disable this in your php.ini. But then you should escape the things yourself that no query can get "infected".
Lookup mysql injection for more information.
When the escaped string is been written in your database. The string doesn't contain theses escape charakters and when you output them again. You should see the result as you want it.
Me for myself prefer the method by storing everything without escapes and escape or display things when I output them. You could also easily use an str_replace("\n", "", $text) to prevent newslines are displayed.
Greetings MRu
I have a form that has some text inputs. When I add them to my db I get a '\' character before each special character {', ", etc}. I want to remove the '\' before entering the text into the DB but so far I have been unable to. I tried doing in the PHP before I execute the query:
$title_str = str_replace('\'','',$_POST['main_title']);
But it did not work.
Thanks,
Sounds like magic quotes are still turned on. You should disable them. This is a perfectly safe thing to do.
http://www.php.net/manual/en/security.magicquotes.disabling.php
Also, be sure to use prepared queries (with PDO or similar) when inserting data in your database to avoid SQL injection problems.
I am using php5.3.6 and mysql 5.1.56 and CodeIgniter. Here is what I did.
Input some text in textarea, something like this:
what's this?
I'm bob.
$string = $_POST['name'];
$insertdata = mysql_real_escape_string($string);
Insert $insertdata into database.
It shows "what\'s this?\n\n\nI\'m bob."(without double quotes) in the table.
Query the data stored in database, use stripslashes on it and then put it back to the textarea.
It shows "what's this?nnnI'm bob."(without double quotes) in the textarea.
My questions are:
In step 4, shouldn't it be "what\'s this?\n\n\n I\'m bob." stored in the table?
I checked php manual. It says:
mysql_real_escape_string() calls
MySQL's library function
mysql_real_escape_string, which
prepends backslashes to the following
characters: \x00, \n, \r, \, ', " and
\x1a.
How am I supposed to keep the textarea input format after using mysql_real_escape_string()?
Is there anyway to choose which slash to strip and which not to?
Notes:
magic quotes option is off
I did not use stripslashes() before
using mysql_real_escape_string()
If I use addslashes() instead of
mysql_real_escape_string(),
everything works fine.
I don' want to use addslashes() since
it is not as secure as
mysql_real_escape_string(), as far as
I know.
Thanks,
Milo
This really does feel a lot like magic_quotes_gpc = On. Are you disabling it in php.ini or at runtime? It needs to be the former, otherwise it'll remain on.
http://www.php.net/manual/en/security.magicquotes.disabling.php
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.
Short answer:
// double quotes are *very* important, or chars are not interpreted
$text_from_db=str_replace("\\r","\r",str_replace("\\n","\n",$text_from_db));
Long answer
Pretty simple but tricky.
You write your textarea and hit the "return" key, there is placed a \r\n (on Windows systems) with slashes that escape the "r" and "n" letter rising their special meaning of carriage return and newline.
You actually can't see them because they are "not printable" chars.
The slash char itself (0x1B) is invisible, that is a single slash is a "not printable" char, to make it visible you have to "transform" it in a printable slash char (0x5C) and to achieve that you have to double it "\\".
Now back to the question: if you can read the slash, probably that's beacuse that slash is not the 0x1B but rather 0x5C, so the "n" and "r" lose their special meaning and you get them as mere strings.
The code I posted does this conversion, converting the "[0x5C]n" string in a "[0x1B]" char.
Notes
Hope this helps, it did for me. IMPORTANT : it is not normal that the text that comes from the db has this issue if it has been stored correctly. My suggestion is to triple check insertion and retrieving because (given from the issue) you could be applying the quoting twice somewhere.
The Best Solution..
$insertdata = mysql_real_escape_string($string); (You can insert it in your database if you want)
echo stripslashes(str_replace('\r\n',PHP_EOL,$insertdata)); (The output is exactly as your input was)
You must escape data before inserting it into the database, to ensure you do not produce broken queries and to avoid SQL injections.
However, when you retrieve that data via a SELECT, you'll receive the data unescaped, ready to be used.
MySQL escapes the string, but when displaying the result back to you it will give you the same result as if it was unescaped.
On my site users can add content to the database via a form. I want the users to be able to type anything in the form and for it all to be added to the database how they have entered it. At the moment I'm getting problems with a number of characters, namely slashes, &, ? etc.
What is the best way to allow all characters to be added to the database correctly?
Also, do you have to decode them when displaying them for it to work correctly? If so, how do I do that?
When saving, use mysql_real_escape_string (or PDO) to protect against SQL injection attacks. This will make it possible to write quotes and backslashes without destroying the SQL query.
<?php
$text = mysql_real_escape_string($_POST['text']);
mysql_query('INSERT INTO table(text) VALUES("'.$text.'")');
?>
When printing the data to a browser (with echo), first run it through htmlspecialchars to disable HTML and solve your current problem:
<?php
// ...fetch $text from db here...
echo htmlspecialchars($text);
?>
htmlentities() may help you encode and decode html characters:
You can also use nl2br() to preserve line breaks from textarea elements:
Also you should use PDO for your database needs as it is much more secure than the old method of escaping data, mysql_real_escape_string()