I'm having problems inserting commas (,) in my text fields in html. When I submit it to mysql, it deletes the data. How do I work with this?
I've tried mysql_real_escape_string() but that still doesn't work. I have lots of data, and I don't want to use str_replace either. Is there another alternative?
escape your message before you send it to the server, so it's stored escaped, then unescape it when you print it in your html page.
so... msgTosend = escape(whateverText);
and then when you're printing
msgToPrint = getFromDatabase(unescape(myText))
however, as the comment points out, you're obviously doing something dreadfully wrong altogether.
If you're storing strings (as it sounds) you need to be wrapping them in quotes before you store them. Once you do that no amount of commas can ruin anything. If you're not storing strings, but some other data type, then you should be breaking those out into individual variables on the server before storing anything. The potential for malice or just plain breakage is basically 100% with what it sounds like you're doing.
Related
I'm having lots of trouble preserving the exact look of how a user types out a short paragraph.
My problem is that random slashes and html show up. When people would hit enter while typing the message, "\r\n\" would show up when it's echoed later. I tried fixing that but now when the user types an apostrophe while composing a message, it gets inserted into the database with 3 back slashes, and thus echoed later with 3 back slashes with the apostrophe. Frustrating! I want to just start over!
Here's what I do.
User types a message in an input field and hits submit.
That message gets inserted into the database with type varchar(280) via php.
That message gets echoed via php.
I've tried many different things like nlbr and strip_tags and stripslashes and mysql_real_escape_string and others. I might be using these all in a certain combination that messes it up.
So my question is what is the best way to preserve exactly how someone composes a text paragraph to be later echoed via php to look just like how they typed it?
Make sure Magic Quotes are off or, if you can't disable them, cleanse your strings from them. Read the manual for details: http://www.php.net/manual/en/security.magicquotes.php
When inserting your text into the database, escape it properly for SQL syntax once or, better, use prepared statements. See How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
When outputting to HTML, use htmlspecialchars to avoid HTML injection or plain syntax problems and afterwards use nl2br to format line breaks specifically for HTML.
That's basically it.
On the second step you need to escape it with mysql function.
But for correct outputing it you need to do following
<pre><?= htmlentities($mysqlRow['data']); ?></pre>
This will get from database result needed information and will outputs it like it is. With all spaces and tabs and html tags in it. (If user enters <html> this will output <html> like text)
If a full name is submitted to the name column of database and it's pulled onto a web page it adds a + sign instead on the space.
Also if theres a " within the message text that in the message column and its pulled onto a web page it displays a \ before every "
Is there any way of fixing these issues
From the code that you added in your comments, expanding my comment in to an answer. The '+' is because you are urlencodeing some of your rows. urlencode is meant for data that will be part of a URL, what I think you are wanting to do is display it in HTML, in which you would want to use htmlentities. But right after pulling from your DB, you'll want to use stripslashes before using the htmlentities.
It appears that when you get your POST data, your server is already adding slashes. Depending on your server version, you'll want to check the Magic Quotes, and if enabled, stripslashes before pushing it through the mysql_real_escape_string. However, since your DB is already set up, it might be easier to skip this paragraph completely and deal with what you already have.
Side note, using 'prepared statements' is a better practice, and eliminates the need to use mysql_real_escape_string. ^^
I am working on a PHP/MySQL script that is inserting data into a database like this...
Caesar (courtesy post)
I know this is a basic question but how can I prevent the special characters from doing that?
It seems you're not just HTML-escaping your content once, but actually doing it twice. The first thing you should do is try to find out why your content ends up that way, instead of attempting to decode it to an unescaped format. You should always escape for the format you're going to use the data in, escape with the SQL escape functions when inserting, and escape with htmlspecialchars (or a similar function) when presenting the data in HTML (and take note of the character encoding used).
If the data comes in this format from another source, use html_entity_decode to normalize the text again. That does however seem weird.
I have some pages that are stored in databases. For security purposes, all the pages is escaped before saved into the DB, but then when i print the page, the HTML-tags are still escaped. Like this
Link
Obviously, that doesn't work very well, so how do i unescape the pages?
I've tried with html_entity_decode without any success.
While data should be escaped before inserting it into the database, it shouldn't still be escaped when you take it out. The root cause of your problem is that it is being escaped twice between collection and examining it after it comes out of the database.
You should track down why it is being escaped twice and fix that.
That may leave the existing data broken though (it depends on if the data is being escaped twice on the way in or if it is being escaped on the way out of the database with magic_quotes_runtime). If so, you will need to clean it up. That form of escaping has nothing to do with HTML and can be reversed with stripslashes.
The clean up will look something like:
SELECT * from database_table
Create a prepared UPDATE statement to update a row
foreach row stripslashes on the data that was double escaped, pass the data to the prepared statement
Use stripslashes(): http://uk3.php.net/manual/en/function.stripslashes.php
Use stripslashes($str) for retrieve the content and remove slashes added during insert content into database.
thanks
mysql database input strings should always be escaped using mysql_real_escape_string() and when they come out, they should be unescaped using stripslashes().
for numbers like id's, those should be converted to integers using int() and then range checked: for instance, AUTO_INCREMENT columns like id's by default start with 1. so for a validation check on anything you get from $_GET[] or $_POST[], check that your int()'ed number is >= 1.
filter all your integers through int().
filter all your real numbers through doubleval(), unless you are working with monetary values and you have your own decimal number class - floating point can mangle money.
What's the best route for storing data in MySQL. With MySQL should I just use, TEXT as my field type?
As well when using mysql_real_escape_string() with return'ed values \r\n .
But should I be running the htmlentities() on it after that?
And then when I return data to the screen I should use, NL2BR()?
Just trying to figure out the best route here for storing this information.
Thank you for your help!
TEXT or TINYTEXT or anything similar should be fine for storing ASCII data from the user. If you don't need a lot of space you may think about VARCHAR
i think that mysql_real_escape_string() escapes characters that may compromise the security of an SQL query (single quote, double quote, etc.) but doesn't do much more than that.
htmlentities() converts reserved html characters like < and > into their html encoded equivalent, < and > respectively. These characters are not dangerous for SQL queries so you probably do not need to escape them unless you want to display the HTML tag entered by the user as text, and not let it be interpreted as HTML.
NL2BR() is probably not necessary either.
Most importantly, your decision on when to use each of these functions will depend on your end application. You may need / want some but not others ( though you should definitely use mysql_real_escape_string() )
Really depends on what you are trying to store. For things such as usernames, passwords, etc... then you can use varchar. But if your storing long text such as news posts or html data, then you can use TEXT or LONG TEXT (Depending on how long it is).
You should ALWAYS use mysql_real_escape_string() when inserting into the DB. If you're outputting HTML from the DB, you may wan to run htmlentities or html_specialchars to ensure that you aren't outputting user injected javascript that could redirect your users to hacker websites and such.
One other idea is that you could escape your data using htmlentities before inserting into the DB, but it's your choice.
NL2BR is great for forcing all \r\n to tags instead.
So, it seems like your on the right track...