i know this sounds really common and so trivial but , am having a challenge here. I have a web site with Zend/Doctrine and i use ckeditor for the backend management. after uploading the site i've realized that during edit testing the look and feel of the site is messed up.
with the help of firebug, i've seen that there are slashes all over the html. after inline edition, the look and feel came back to normal. There are so many files , i can't think of doing other decoding before outputting data from mysql.
What options do i have to solve this problem. the site is up already and i feel a bit unconfortable about this. Can anyone give a hint? thanks
It might be magic_quotes_gpc. Can you verify that it's turned off?
Here is a way to turn it off:
http://php.net/manual/en/security.magicquotes.disabling.php
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
Also, are you using prepared statements? PHP PDO/MySQLI will escape automatically for you. Depends on the type of queries you're using.
It seems like you're data is getting double escaped before being inserted into your database. Are you using mysql_real_escape_string or addslashes before inserting data into the database? If so, maybe you want to use stripslashes before you insert your data like so:
mysql_real_escape_string(stripslashes($data));
Or else you could theoretically call stripslashes after you take the data out of the database:
stripslashes($data);
The second approach is less desirable, though. It would be better to have the data properly stored in the database.
I thank every one for the help. Really the accepted solution should be the one from #Stanislav Palatnik . just that it didn't work with my .htaccess. the hosting server was nice enough to put a php.ini in my public_html allowing me to change it. So +1 to #Stanislav Palatnik because he pointed out the issue. i also found interesting information i thought i would share in case someone found himself in my situation.
info from: http://support.godaddy.com/groups/web-hosting/forum/topic/how-to-turn-off-magic_quotes_gpc/
Yes – the solution below worked for me:
(1) First of all do not try to turn off the magic quotes in your .htaccess file, it won’t work on godaddy.
(2) Second, if you’re running PHP5 on your account, rename your php.ini file to php5.ini, make sure it’s in your root folder.
(3) Third, make sure all the lines in your php5.ini file end in a semi colon ;
(4) Fourth, add this line to your php5.ini file:
magic_quotes_gpc = Off;
on the same page someone said it shouldn't be only magic_quotes_gpc only but other ones aswell like shown below:
magic_quotes_gpc = Off;
magic_quotes_runtime = Off;
magic_quotes_sybase = Off;
Hope this helped someone. Special thanks to #Stanislav Palatnik
In case this is a magic quotes problem and as i recall you only having access to your application.ini, you might add the following and give it a try
phpSettings.magic_quotes_gpc = 0
phpSettings.magic_quotes_runtime = 0
This still requires your user / usergroup to be allowed to change default php settings ;)
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);}
?>
add this to your php page which has insert/update query :)
Related
I have a CentOS 5 VPS and I have just installed my website there. But I have problems that when I'm inserting special characters into the password field like: ' (apostophe) or something like that, I always get the error, that this password is incorrect :/ I guess this is because of the Linux System. Am I right? Or maybe because of te sanitizing I'm doing?
I'd be gald if anyone could help me.
EDIT:
function array_sanitize(&$item) {
$item = htmlentities(strip_tags(mysql_real_escape_string($item)));
}
If your magic quote is enabled, then you should turn it off:
Edit these in your php.ini:
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
Or you can put this in .htaccess in document root:
php_flag magic_quotes_gpc Off
If you want to know about magic quote:
http://php.net/manual/en/security.magicquotes.php
hmm this sounds like a input escaping issue to me, or some setting in the website.
try to trace the path of the inputs to the actual query that executes and checks for a valid username/password. This is all i can write without actual code.
P.S i can only post answers that is why i am posting it like this.
I'm trying to parse out an INI file that has a URL as one of the variables to parse. Problem is, the URL contains a '=' in it, and parse_ini_file spits out an error. I tried to escape the character, but to no avail. Does this happen to anybody else? And if so, has anybody fixed it?
Have you enclosed the value in quotes? It shouldn't be a problem to have = in the value as long as you have quotes around your value. Example:
key1="http://www.google.com?q=test";
much better would be use INI_SCANNER_RAW as 3rd parameter of parse_ini_file
parse_ini_file($file, true, INI_SCANNER_RAW);
I had the same problem and it drove me insane! The problem ended up being something silly ... I had created the .ini file in Windows, using a file that I renamed to .ini. Apparently there was some markup left which was seen by PHP, but not in my Notepad++.
I deleted the .ini and created one on my Linux host. This resolved the problem. If you're using WAMP or XAMPP on Windows, try to create a new file with just notepad, which disregards any markup.
I know this is an old topic, but I ended up here looking for the same problem, so it might help someone else.
Here is a quick solution to fix parse_ini_* problems with equality sign. You can use also regex, exploding arrays, etc.
function parseIniFile($file) {
if (!is_file($file)) return null;
$iniFileContent = file_get_contents($file);
return parseIniString($iniFileContent);
}
/* solves the equalitiy sign problem */
function parseIniString($iniFileContent==''){
$iniArray = array();
$iniFileContentArray = explode("\n", $iniFileContent);
foreach ($iniFileContentArray as $iniFileContentArrayRow){
$iniArrayKey = substr($iniFileContentArrayRow, 0, strpos($iniFileContentArrayRow, '='));
$iniArrayValue = substr($iniFileContentArrayRow, (strpos($iniFileContentArrayRow, '=')+1));
$iniArray[$iniArrayKey] = $iniArrayValue;
}
return $iniArray;
}
I am yet to find an actual solution to this problem.
In FCKeditor 2, when using PHP integration method, any html element that is passed to the editor will have the css styling stripped form it.
Therefore this:
<div style="color:#000;background:blue">hello</div>
will end up as this:
<div>hello</div>
I can confirm that the editor will pass the styling correctly upon saving it, but if you load it into the editor, it is stripped out and thus on 2nd save, is removed.
The only 2 solutions, which unfortunately aren't solutions for me, are to either use Javascript Integration, which doesn't work with my coding structure or to turn off Magic Quotes. While I would like to turn off magic quotes as its not recommended to rely on it, I don't have the time at the moment to go through my rather large code base to ensure that doing this won't break something somewhere else.
So, I am asking how this can be resolved with FCKeditor 2 using PHP integration with magic quotes enabled? I have already removed 'style' from FCKConfig.RemoveAttributes in fckeditor.js
Please don't offer solutions like "upgrade to CKeditor", "use javascript integration" and "turn off magic quotes" as that would defeat the purpose of this post. Thank you for any help and hopefully it finding a solution will help many others with the same problem.
David
To be more direct than #Marek's answer -
Instead of turning off magic quotes, on the PHP side you can detect if magic quotes are enabled using get_magic_quotes_gpc(), and use stripslashes() to undo them if they are.
$html = $_POST['html']; // as an example
if (get_magic_quotes_gpc()) $html = stripslashes($html);
You can undo the magic quotes at runtime, see Example #2:
http://www.php.net/manual/en/security.magicquotes.disabling.php
function stripslashes_deep($value) {
if (is_array($value)) {
$value = array_map('stripslashes_deep', $value);
} else {
$value = stripslashes($value);
}
return $value;
}
if (get_magic_quotes_gpc()) {
$_POST = stripslashes_deep($_POST);
$_GET = stripslashes_deep($_GET);
$_COOKIE = stripslashes_deep($_COOKIE);
$_REQUEST = stripslashes_deep($_REQUEST);
}
Got an odd situation here. On my local mysql database (v5.1.41), I am required to use this escape command if I am to handle users' quotation syntaxs without any problems. However I cannot use this command on my web server's mysql database (v5.0.91-community). If this command is used on the web server (apache v2.2.13), an extra slash syntax is added to the user's quotation syntax, thus if I remove the mysql_real_escape_string command, inputs with quotation marks will have no problems being inserted into the database.
So I was wondering, apart from php, is there a setting within apache (v2.2.13) or within mysql itself that can automatically deal with quotation syntax such as PHP's mysql_real_escape_string command?
Thank you in advance
This is probably due to Magic Quotes. Disable or remove them, they are a well-meant but also annoying feature.
It means the php setting magic_quotes_gpc is enabled on the server. It's deprecated, and there's a way to work around it - by removing the slashes at the beginning of your code:
<?php
if (get_magic_quotes_gpc()) {
function magicQuotes_awStripslashes(&$value, $key) {$value = stripslashes($value);}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
array_walk_recursive($gpc, 'magicQuotes_awStripslashes');
}
I'd recommand you to use filter_input to get your user data as it does not care about magic_quotes, and parameterized queries to do your database job (see mysqli or PDO).
I have a form posting data to a php page. Then I have the PHP page echoing the data aswell as posting it to twitter. Whenever In a word with an apostrophe it adds a back-slash right before it. So I type in "I'm going to the park" it echos "I\'m going to the park" what's going on and how do I fix it? Thanx :)
This is caused by magic_quotes, a configuration option you should turn off. See here for good explanations.
you can turn it off in the php.ini or .htaccess
or just get rid in place:
if (get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST['$k'] = stripslashes($v);
add a stripslashes() around the content before submitting it.
magic_quotes_gpc is on.. i'd turn it off in your php.ini or server settings panel (depending on your host)
edited to the, although somewhat painful, support of Col. Shrapnel..