i am using a funstion to insert data into the database
so here is where it inserts
i am inserting this
<div class="widget" id="recentcomments"><h2>Blog</h2></div>
update_option("head-text", mysql_real_escape_string($head_text));
so it inserts into the database and when i save and pull it back out like below.
<input type="text" name="head-text" id="head-text" class="regular-text" value="<?php echo htmlentities($head_text, ENT_QUOTES); ?>"/>
i get the following.
<div class=\\\"widget\\\" id=\\\"recentcomments\\\"><h2>Blog</h2></div>
loads off \\\\
sorry for the vag question before.
According to the manual mysql_real_escape_string
If magic_quotes_gpc is enabled, first
apply stripslashes() to the data.
Using this function on data which has
already been escaped will escape the
data twice.
You can go for a function like this (in case you don't want to use prepared statements)
function safe($input)
{
if (get_magic_quotes_gpc())
{
$input = stripslashes($input);
$escaped = mysql_real_escape_string($input);
}
else
{
$escaped = mysql_real_escape_string($input);
}
return $escaped;
}
There's no need to call stripslashes() on output if SQL escaping is done properly
You have your data escaped twice before it gets inserted into database.
You have to find what causing this, and turn off excessive escaping.
It could be magic_quotes_gpc setting.
In this case you have to turn off this setting in the PHP configuration.
And add a code that checks get_magic_quotes_gpc() result and strips slashes from all superglobal arrays.
if magic quote are certainly turned on,
It could be also just mysql_real_escape_string/addslashes being called twice in your code. You have to search your code for this and get rid of one which is called earlier than anaother
Thanks for the replies got it working with the following.
<?php echo htmlentities(stripslashes($head_text)); ?>
needed them both
Related
The code below takes a string protects its using mysqli_real_escape_string.
but not geting expected output working fine without the mysqli_real_escape_string but need that for protection.
$str = mysqli_real_escape_string($con,$_POST['str']);
/*
get each word in the sentence using for-loop then
*/
switch($eachword){
case ':)': $eachword = '<img src="smile.gif">';
break;
/*
and so forth and so on
*/
}
$newstr .= $eachword;
//for-loop ends
**mysqli_query($con,"insert into tbl(comment)VALUES($newstr)");**
e.g
input : $str = "here i am :) fine";
expected output : $newstr="here i am <img src="smile.gif"> fine";
curernt output : $newstr="here i am :) fine";
UPDATE
NOW everything works fine. Thanks to supporters.
You are running mysqli_real_escape_string over some data immediately before … not using at all in your code sample. So it doesn't make any sense.
Use mysqli_real_escape_string immediately before inserting the variable into a string of SQL and nowhere else. (Better yet, use prepared queries and bound arguments).
If you are trying to defend against XSS, then use htmlspecialchars immediately before inserting a variable into a string of HTML.
Don't use either before comparing user input to some text.
UPDATED
Note that you must be already connected to a database, for mysqli_real_escape_string to work, because it takes into consideration, the default character set of your selected database. Are you connecting to a database before using it?
And in your question, I don't even see a query. There will be no advantage in using mysqli_real_escape_string unless you're going to insert the passed string into a database.
Now I see that you're replacing smileys with tag, then you're inserting it into a database. However, if I were you, I would do the following :
function ParseSmiley($str)
{
$smileys = array(
':)' => "<img src='smile.gif' />" //Put all your smileys in this array
);
$parsed_string = strtr($str, $smileys);
return $parsed_string;
}
When you're inserting your content into database, do not convert it into tags. Instead, when you display it, use the function ParseSmiley()
$parsed_string = mysqli_real_escape_string($con,$_POST['str']);
mysqli_query($con,"INSERT INTO tbl (comment) VALUES ($parsed_string)");
Then when you want to display the content, let's say the string is in $content, display it like this :
echo ParseSmiley($content);
I have a database set up to store user input and it then displays what they put on the page.
$input = mysql_real_escape_string(stripslashes(addslashes($_POST["input"])));
//Later on
echo '<div>'.$input.'</div>';
I went to the textarea and typed in some basic php code "<?php echo 'blahblah'; ?>," and it submitted to the database normally, but the homepage doesn't display any of it. No 'blahblah,' no tags. I want it to display the entire "<?php echo 'blahblah'; ?>" so people can post whatever they want.
Escaping needs to be appropriate for its context.
When inserting into the database, use mysql_real_escape_string (or migrate to the newer mysqli_real_escape_string, or to PDO) or read up on parameterized queries (AKA prepared statements).
When displaying in HTML, use htmlspecialchars or htmlentities.
Never use both in one go, because you will get in a mess, and never use stripslashes(addslashes(...)), because that makes no sense.
You should try the following:
echo '<div>'.htmlentities($input).'</div>';
It converts special characters like < and > to html entities so they are displayed correctly in the browser.
I am learning PDO after the many people telling me to do so. However in updating one of my scripts, PDO is causing me a problem that I'm not sure how to fix.
My problem is a user will input the title to the website. Say its "Smith's Inventory".
Since the whole PDO switch, it is saved in the db as "Smith\'s Inventory". Which is output in various places on my website. Such as the header, the html title, and the settings text box. If you click save again with \', then you get \\', and so on.
I realize why this is done, but how can it be fixed?
Here is the instert code:
foreach ($_POST as $key => $value)
{
$sql = $dbh->prepare("UPDATE settings set value=? where variable=?");
$sql->bindParam(1, $value);
$sql->bindParam(2, $key);
$sql->execute();
}
echo '<h2><font color=green>Saved</font></h2>';
Looks like you are double escaping the data.
The most likely reasons for this are:
Your PHP install has magic quotes enabled — best to turn them off
You are using something like mysql_real_escape_string and prepared statements with placeholders — use only the latter
I've had this problem before, it was due to PHP magic quotes. PHP automatically inserts a slash to escape 'risky' characters in order to prevent sql injection.
You need to either disabled magic quotes on your php install or use the stripstashes function just before you output it.
http://php.net/manual/en/security.magicquotes.disabling.php
http://php.net/manual/en/function.stripslashes.php
You can read about magic quotes here:
http://www.tizag.com/phpT/php-magic-quotes.php
You can use stripslashes on the PHP side.
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
I'm trying to store a line of xml in mysql and after I save it, it gets formatted with some extra characters.
href=\"\" index=\"My Website\" admin=\"Civillage\" default=\"Borak Obama, Mitt Romney\" country=\"USA\" age=\"\" gender=\'\' usertopicsallowed=\'no\' layout=\'line\'
How can I get rid of the backslashes?
just do not add them before saving your text in the database.
check for the magic_quotes setting ant be sure it is turned OFF
check your code for the excessive escaping.
only string data have to be escaped for the query and it has to be done only once.
prepared statements shouldn't be escaped at all
Use stripslashes():
$str = "Is your name O\'reilly?";
echo stripslashes($str); // Outputs: Is your name O'reilly?
Use mysql_real_escape_string($s); on any code input you wish to store in your database, this will escape the characters successfully and not leave you with any superfluous slashes.
For this method to work, a mySQL connection must already be established.
Hope this helps.
I was wondering, whats the best practice on the example below.
<?php
if(isset($_POST['query'])){
$out = $_POST['query'];
}
?>
<div><?php echo $out; ?></div>
<input type="text" value="<?php echo $out; ?>" />
Using the above code would this pose a threat to website. Or would I need to prepare the output before using it as above. By prepare I mean encode it or escape special characters.
I am aware you need to escape it and validate inputs for db use, how about for outputting it?
Yes, since you’re putting it out into HTML you should use encode HTML’s special characters appropriately with htmlspecialchars:
if (isset($_POST['query'])) {
$out = htmlspecialchars($_POST['query']);
}
Besides that, $out is only defined when $_POST['query'] exists; you should think about having a default value if $_POST['query'] does not exist. Because otherwise, when register globals are enabled (that alone is a bad idea) you could set that variable via the URL query string with ?out=….
Yes, you should be using the php function htmlspecialchars
http://php.net/manual/en/function.htmlspecialchars.php
also, see this (accepted answer)
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
dont know about best practise and that depend on the coder i like turnary
echo (isset($_POST['query']))? htmlspecialchars($_POST['query']):"";