I do not know where is the problem that I can not insert > and ( into my MySQL database.
I add a addslashes($str) but this still can leave the quote mark unescaped.
Is there any string functions that can solve my problem?
Don't use addslashes(), use...
mysql_real_escape_string()
Use it every time your interpolate outside strings into a query!
...or better still, use binded parameters with something like PDO.
By the way, there is no reason why > and ) wouldn't be inserted into your database that I can think of. They have no meaning inside of a string, unlike \.
Related
Is is possible to find a string is escaped twice or not using SQL Query (REGEXP) or using PHP?
Please help me on this. I tried more to find it but I'm not getting it anywhere.
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
$escaped_item_twice = mysql_escape_string($escaped_item);
Here i need to find out that $escaped_item_twice is escaped twice. by their result string which is stored in db already. (i.e) i already stored some strings in db with double escape. I want to get those things and to use stripslashes() on that data. How can i get that data?
You cannot make a difference. Escaping is nothing more than adding some \s (in this case). It leaves no other trail. You cannot tell whether double escaping occurred or you simply wanted to escape an escape character (\\) that was meant to be there.
When I post a variable to the database, of course, I use mysql_real_escape_string. This way special characters go in the database as it should.
When I read this variable out of the database, I use mysql_real_escape_string again together with stripslashes:
$var = stripslashes(mysql_real_escape_string($record['rowname']));
else it will give me slashes before quotes.
When I use this $var I mentioned above and want to echo it, I simple can echo "$var" because it has already been stripped and escaped, right?
And beside, if I use stripslashes + mysql_real_escape_string on a variable, then POST this same variable again in the database, is mysql_real_escape_string enough? Or do I need to stripslashes this variable again?
Summarized:
As I know how this works:
use mysql_real_escape EVERY time when using data with mysql: when reading query through variables just as posting variables to database.
Use stripslashes when echoing out escaped variables.
If you want to post stripslashes and escaped variables again to the database, you dont need to stripslash it again.
Do I miss htmlspecialchars?
EDIT
So this is all wrong?
while( $record=mysql_fetch_array($result) )
{
$custid=mysql_real_escape_string($record['custid']);
$custsurname=mysql_real_escape_string($record['custsurname']);
$custmidname=mysql_real_escape_string($record['custmidname']);
$custforename=mysql_real_escape_string($record['custforename']);
$custcountry=stripslashes(mysql_real_escape_string($record['custcountry'])); }
I'm afraid you're doing it wrong. The key point is that escaping is context sensitive and you completely disregard that fact.
On every data format, there're words or characters that are assigned special meanings in the format spec. For instance, a ' symbol in SQL means "string delimiter", a ? symbol in a URL means "start query string" and a < symbol in HTML means "start tag". You need escaping when you want to insert a literal word or character, i.e., you want to insert it as-is and remove its special meaning.
Once aware of that, it's clear that the syntax varies depending on the format and context. < means "start tag" in HTML but not in SQL or URLs. Thus you need to use a escaping method that's built for the target format and follows the format rules.
If you do mysql_real_escape_string() on data read from a database you're saying "escape my data so it can be injected as inside a SQL string". Your data gets ready to be used inside as a SQL string but get's corrupted for any other usage.
In this example, it happens that stripslashes() undoes most of what mysql_real_escape_string() did so you end up with an output that's basically unchanged. But that's pure chance.
Last but not least, having to escape database input parameters one by one is very annoying. All other DB extensions but the one you are using1 offer prepared statements. Don't get stuck with a deprecated extension that doesn't offer modern stuff.
1 Note: the legacy mysql extension has been deprecated for several years, when better alternatives became available, and it's no longer part of the language.
Update: a little clarification—escaping is just a syntax trick. You don't alter the input to the eyes of the target engine, which just sees the original data as-is. So there's no need to unescape the input when you retrieve it.
You don't need to stripslashes or mysql_real_escape_string the data coming from database, you just need to escape it before you query so the query parser knows what are special characters and what are literal characters.
stripslashes should be never used (as a hack to fix some symptoms), if you are going to need a variable after escaping it, use the original one:
$data_safe = mysql_real_escape_string( $data );
//$data can still be used normally
Escaping is only for a certain context, if the context is a mysql query then you will mysql real escape just for the query and nothing else. If the context is html output, then you will htmlescape just before outputting a string as html. At no point you want to actually modify the data itself. If you misunderstand this, you will see O\'Brian and O'Brian etc.
Okay, so say I have some user input that selects something from a mysql database.
I want to be safe from mysql injection so in order to do so I'd use the mysql_real_escape_string() function. But after that, I want the quote or whatever is bad from my string out of the variable completely.
EXAMPLE- :
my title variable = Herp'
escape with mysql_real_escape_string()....
then my variable = Herp\'
Now, I want the bad quote out of there. So, I want to remove the backslash & character after the backslash.. so it looks like 'Herp'.
How would I do that?
sorry if that's confusing.
If you just want to filter out quotes instead of escaping them, simply try
$myTitleVar = str_replace(array("'", '"'), '', $myTitleVar);
Before inserting it into the DB, I'd still recommend running it through mysql_real_escape_string() or even better, use PDO and parameter binding.
use stripslashes
but I would dig why that is happening. Check your magic quotes settings. For safety reasons is it good to have then set to off
I allow users to submit a question, and they should be able to have single quotes in their title.
Currently, if a title contains a single quote, it will submit properly.
$question->values($post_data); $question->save();
Any ideas on how I can set Kohana to escape that single quote / escape my information automatically? I would like to avoid having to addslashes() every input and removeslashes() every display...
Thank you so much, SO community!
(This question is crossposted at http://forum.kohanaframework.org/comments.php?DiscussionID=6525)
Actually, you should never use addslashes() to escape DB values at all. Especially not in Kohana, since values are "escaped" while being saved ( example you're giving is ORM one, you can always mess up a custom DB query to get a MySQL injection / broken query ).
If you don't want something to get escaped, wrap it in DB::expr() ( so it'll return an instance of Database_Expression, which doesn't get automatically escaped ).
To escape a value manually, use Database::quote() (not static, call it through your Database object, e.g. $db->quote($value) ).
But! Kohana has a problem with backticks (`). This is a system's symbol.
elseif(preg_match('/\`/', $value))//if a backtick
{
return str_replace('\'', '', $value);//'value'=>value!!!
}
return $this->escape($value);
stripslashes() ? That's lame and so 4.0. What's the 5.0 counterpart of mysqli::real_escape_string that strips all slashes added for SQL queries?
Got some other questions:
Tried to update a record and added a single quote in a text field, turns out phpMyAdmin escapes the string with single quotes instead of slashes - e.g. a single quote is escaped as '' (2 single quotes) instead of \' - what function is phpMyAdmin using or is it its own? So, mysql supports 2 approaches for escaping strings, namely slash and single quote?
Do I always have to unslash the string selected from mysql? Cause' you know it's slashed at insertion. But I thought I don't have to.
Any ideas, thanks!
If you don't want to go with PDO, and you are using mysqli, you should be using prepared statements, so you don't have to worry about escaping quotes with things like mysql_real_escape_string_i_mean_it_this_time.
More specifically, you can call mysqli->prepare to prepare your query. Call mysqli_stmt->bind_param to set the parameter values. And, call mysqli_stmt->execute to execute the query.
Use PDO instead of any of the mysql[i]/pgsql/... extensions.
If you're just looking to reverse the damage done by magic quotes, though, stripslashes() is exactly what you're looking for.
ini_set('magic_quotes_runtime', false);