I'm wondering why php adds a backslash when i remove double quotes.
<input type="text" name="number" id="number" />
<input type="button" name="button" id="button" value="Button" />
Say they user enters the value 5-1/2" and i'm passing it to a processing page via jquery's .get method.
$('#button').click(function(){
$.get('determine.php?number='+$('#number').val(),function(data){
$('#response').html(data);
});
});
Here is my processing page.
determine.php
$number = $_GET['number'];
$number = str_replace(array('"', "'"), '', $number);
echo $number;
//echos 5-1/2\
Why is the backslash there?
It doesn't add them when you remove the slash, it automatically escapes them in the query string parameters when the magic_quotes_gpc directive is enabled (and it is, by default pre 5.30). It did this as a security precaution, so that the data could be safely used in a database query. You can disabled them by changing the setting in your php.ini file, see http://www.php.net/manual/en/security.magicquotes.disabling.php.
You can also use stripslashes to remove them:
$number = str_replace(array('"', "'"), '', stripslashes($number));
An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.
User input gets escaped by magic quotes.
http://www.php.net/manual/en/function.get-magic-quotes-gpc.php
Elegant weapons for a more... civilized age.
You possible have bad magic quotes turned on. If that's the case, you should simply disable them from php.ini.
See http://php.net/manual/en/security.magicquotes.php
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.
When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically.
In short, magic quotes is a feature in PHP where quote characters are automatically escaped with the \ character.
Here are some solutions for turning off magic quotes: http://www.php.net/manual/en/security.magicquotes.disabling.php
Related
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?
I have some question about saving html code in mysql database
every time when I put the charter " ' " in the database it changes to " / ".
Example:
somthing like that
<p>That's my name</p>
After saving it look like this:
<p>That\'s my name</p>
what can i do?
thank u all
Use parameterized queries to escape data going into the database
Use nothing else to escape data going into the database (otherwise you will double escape which can use this problem)
Do not use mysql_real_escape_string
Do not use addslashes
etc
Do not escape data coming out of the database (since that will cause this problem)
Make sure magic quotes are disabled (since having them turned on will escape data going into and out of the database and cause this problem).
You are using addslashes like escape functions in your code.
addslashes() — Quote string with slashes - http://php.net/manual/en/function.addslashes.php
stripslashes() — Un-quotes a quoted string - http://php.net/manual/en/function.stripslashes.php
Use stripslashes to remove '\' from HTML data. Actually (') is used define string in MySql, so it ecaspe it (by putting \ in-front) in order to avoid any unintentional use.
Let say i have a column product name and it has value Shoe's.
When i pick that value from db and use mysql_real_escape_string and placed it in html hidden input it becomes <input type='hidden' value='Shoe\'s' id='product_name'>
When i do $('#product_name').val() it return only Shoe\ truncating the s or rest of the value after that. The jQuery is assuming an escaped single quote as a closing quote for attr value.
On solution is to use value="" (enclosed in double quotes) but what if value contains a double quote? So the problem persists.
Any help is appreciated.
Thanks!
You must not use mysql_real_escape_string for HTML output. Use the appropriate htmlspecialchars instead.
In HTML, a backslash before a quote does not mean that the quote is escaped. An escaped ' in HTML is '. That's why you use the appropriate escaping method for your output target. mysql_real_escape_string is appropriate when escaping for SQL, htmlspecialchars is appropriate when escaping for HTML.
I have built a search engine using php and mysql.
Problem:
When I submit a word with an apostrophe in it and return the value to the text field using $_GET the apostrophe has been replaced with a backslash and all characters after the apostrophe are missing.
Example:
Submitted Words: Just can't get enough
Returned Value (Using $_GET): Just can\
Also the url comes up like this:search=just+can%27t+get+enough
As you can see the ' has been replaced with a \ and get enough is missing.
Question:
Does anybody know what causes this to happen and what is the solution to fix this problem?
The code:
http://tinypaste.com/11d62
If you're running PHP version less than 5.3.0, the slash might be added by the Magic Quotes which you can turn off in the .ini file.
From your description of "value to the text field" I speculate you have some output code like this:
Redisplay
<input value='<?=$_GET['search']?>'>
In that case the contained single quote will terminate the html attribute. And anything behind the single quote is simply garbage to the browser. In this case applying htmlspecialchars to the output helps.
(The backslash is likely due to magic_quotes or mysql_*_escape before outputting the text. I doubt the question describes a database error here.)
Update: It seems it's indeed an output problem here:
echo "<a href='searchmusic.php?search=$search&s=$next'>Next</a>";
Regardless of if you use single or double quotes you would need:
echo "<a href='searchmusic.php?search="
. htmlspecialchars(stripslashes($search))
. "&s=$next'>Next</a>";
(Notice that using stripslashes is a workaround here. You should preserve the original search text, or disable the magic_quotes rather.)
Okay I forgot something crucial. htmlspecialchars needs the ENT_QUOTES parameter - always, and in your case particularly:
// prepare for later output:
$search = $_GET['search'];
$html_search = htmlspecialchars(stripslashes($search), ENT_QUOTES);
And then use that whereever you wanted to display $search before:
echo "<a href='searchmusic.php?search=$html_search&s=$next'>Next</a>";
Single quotes are important in PHP and MySQL.
A single quote is a delimeter for a string in PHP, for example:
$str = 'my string';
If you want to include a literal quote inside a string you must tell PHP that the quote is not the end of the string. It is escaped with the backslash, for example:
$str = 'my string with a quote \' inside it';
See PHP Strings for more on this.
MySQL operates in a similar way. An example query might be:
$username = 'andyb';
$quert = "SELECT * FROM users WHERE user_name = '$username'";
The single quote delimits the string parameter. If the $username included a single quote, this would cause the query to end prematurely. Correctly escaping parameters is an important concept to be familiar with as it is one attack vector for breaking into a database - see SQL Injection for more information.
One way to handle this escaping is with mysql_real_escape_string().
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?