Got an odd situation here. On my local mysql database (v5.1.41), I am required to use this escape command if I am to handle users' quotation syntaxs without any problems. However I cannot use this command on my web server's mysql database (v5.0.91-community). If this command is used on the web server (apache v2.2.13), an extra slash syntax is added to the user's quotation syntax, thus if I remove the mysql_real_escape_string command, inputs with quotation marks will have no problems being inserted into the database.
So I was wondering, apart from php, is there a setting within apache (v2.2.13) or within mysql itself that can automatically deal with quotation syntax such as PHP's mysql_real_escape_string command?
Thank you in advance
This is probably due to Magic Quotes. Disable or remove them, they are a well-meant but also annoying feature.
It means the php setting magic_quotes_gpc is enabled on the server. It's deprecated, and there's a way to work around it - by removing the slashes at the beginning of your code:
<?php
if (get_magic_quotes_gpc()) {
function magicQuotes_awStripslashes(&$value, $key) {$value = stripslashes($value);}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
array_walk_recursive($gpc, 'magicQuotes_awStripslashes');
}
I'd recommand you to use filter_input to get your user data as it does not care about magic_quotes, and parameterized queries to do your database job (see mysqli or PDO).
Related
I am learning PDO after the many people telling me to do so. However in updating one of my scripts, PDO is causing me a problem that I'm not sure how to fix.
My problem is a user will input the title to the website. Say its "Smith's Inventory".
Since the whole PDO switch, it is saved in the db as "Smith\'s Inventory". Which is output in various places on my website. Such as the header, the html title, and the settings text box. If you click save again with \', then you get \\', and so on.
I realize why this is done, but how can it be fixed?
Here is the instert code:
foreach ($_POST as $key => $value)
{
$sql = $dbh->prepare("UPDATE settings set value=? where variable=?");
$sql->bindParam(1, $value);
$sql->bindParam(2, $key);
$sql->execute();
}
echo '<h2><font color=green>Saved</font></h2>';
Looks like you are double escaping the data.
The most likely reasons for this are:
Your PHP install has magic quotes enabled — best to turn them off
You are using something like mysql_real_escape_string and prepared statements with placeholders — use only the latter
I've had this problem before, it was due to PHP magic quotes. PHP automatically inserts a slash to escape 'risky' characters in order to prevent sql injection.
You need to either disabled magic quotes on your php install or use the stripstashes function just before you output it.
http://php.net/manual/en/security.magicquotes.disabling.php
http://php.net/manual/en/function.stripslashes.php
You can read about magic quotes here:
http://www.tizag.com/phpT/php-magic-quotes.php
You can use stripslashes on the PHP side.
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
i know this sounds really common and so trivial but , am having a challenge here. I have a web site with Zend/Doctrine and i use ckeditor for the backend management. after uploading the site i've realized that during edit testing the look and feel of the site is messed up.
with the help of firebug, i've seen that there are slashes all over the html. after inline edition, the look and feel came back to normal. There are so many files , i can't think of doing other decoding before outputting data from mysql.
What options do i have to solve this problem. the site is up already and i feel a bit unconfortable about this. Can anyone give a hint? thanks
It might be magic_quotes_gpc. Can you verify that it's turned off?
Here is a way to turn it off:
http://php.net/manual/en/security.magicquotes.disabling.php
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
Also, are you using prepared statements? PHP PDO/MySQLI will escape automatically for you. Depends on the type of queries you're using.
It seems like you're data is getting double escaped before being inserted into your database. Are you using mysql_real_escape_string or addslashes before inserting data into the database? If so, maybe you want to use stripslashes before you insert your data like so:
mysql_real_escape_string(stripslashes($data));
Or else you could theoretically call stripslashes after you take the data out of the database:
stripslashes($data);
The second approach is less desirable, though. It would be better to have the data properly stored in the database.
I thank every one for the help. Really the accepted solution should be the one from #Stanislav Palatnik . just that it didn't work with my .htaccess. the hosting server was nice enough to put a php.ini in my public_html allowing me to change it. So +1 to #Stanislav Palatnik because he pointed out the issue. i also found interesting information i thought i would share in case someone found himself in my situation.
info from: http://support.godaddy.com/groups/web-hosting/forum/topic/how-to-turn-off-magic_quotes_gpc/
Yes – the solution below worked for me:
(1) First of all do not try to turn off the magic quotes in your .htaccess file, it won’t work on godaddy.
(2) Second, if you’re running PHP5 on your account, rename your php.ini file to php5.ini, make sure it’s in your root folder.
(3) Third, make sure all the lines in your php5.ini file end in a semi colon ;
(4) Fourth, add this line to your php5.ini file:
magic_quotes_gpc = Off;
on the same page someone said it shouldn't be only magic_quotes_gpc only but other ones aswell like shown below:
magic_quotes_gpc = Off;
magic_quotes_runtime = Off;
magic_quotes_sybase = Off;
Hope this helped someone. Special thanks to #Stanislav Palatnik
In case this is a magic quotes problem and as i recall you only having access to your application.ini, you might add the following and give it a try
phpSettings.magic_quotes_gpc = 0
phpSettings.magic_quotes_runtime = 0
This still requires your user / usergroup to be allowed to change default php settings ;)
<?php
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);}
?>
add this to your php page which has insert/update query :)
I'm using PHP and MySQL to power a basic forum. When users use the apostrophe (') or insert links into their post, the mysql_real_escape_string function is adding \ to the text. When displaying the post, the links don't work, and all the apostrophe's have a \ before it.
Is the problem that I am not doing something before outputting the text or is the issue that I'm not cleaning the data properly before writing to MySQL?
Are magicquotes turned on? You can check quickly by creating a PHP page like so:
<?php var_dump(get_magic_quotes_gpc()) ?>
If the page says something like int(1), then the culprit isn't mysql_real_escape_string, but PHP itself. It was a security feature, but not very secure, and mostly just annoying. Before you sanitize each variable, you first need to undo the slashing with stripslashes.
You can also turn off magic quotes by using this:
if ( version_compare(PHP_VERSION, '5.3.0', '<') ) {
set_magic_quotes_runtime(0);
}
It will turn magic quotes off when your server is running any version of php less than 5.3.0.
I send this string in a GET request
{"foo":[{"bo1":"*","bob":"*"}]}
but get it in PHP as
{\"foo\":[{\"bo1\":\"*\",\"bob\":"\*\"}]}
How do I get it as {"foo":[{"bo1":"*","bob":"*"}]} sending it as part of a query string (or how do I send it via GET method to get it properly)? (Note: I cannot clean it as I have no control over server side.)
Disable magic_quotes: it's deprecated. If you can't, you can always use stripslashes on the input:
$goodStr = stripslashes($_GET['badStr']);
Your php config have enabled magic_quotes_gpc, which causes automatic escaping of quotes and double quotes in all _GET, _POST, and _COOKIE superglobals.
If you do not need it, turn it off. If you do, then you should probably rewrite the code which relies on this behaviour, as it is depreciated, and will be removed in future verions of php.
You should turn it of in php.ini if possible.
Anyway, if you, for some reasons, cannot turn off this just use stripslashes($your_json);
If the server runs on Apache, create a file called .htaccess in the site root (the leading period is part of the filename). Put the following code in the file:
php_flag magic_quotes_gpc Off
Otherwise, you'll need to use stripslashes() every time.
Today I run into some oddity with PHP, which I fail find a proper explanation for in the documentation. Consider the following code:
<?php
echo $_GET['t']. PHP_EOL;
?>
The code is simple - it takes a single t parameter on the url and outputs it back. So if you call it with test.php?t=%5Ca (%5c is a '\'), I expected to see:
\a
However, this is what I got:
$ curl http://localhost/~boaz/test.php?t=%5Ca
\\a
Notice the double slash. Can anyone explains what's going on and give recipe for retrieving the strings as it was supplied on the URL?
Thanks,
Boaz
PS. I'm using PHP 5.2.11
This happens, because you have the "magic quotes" switch in php.ini switched on. From the manual:
When on, all ' (single-quote), "
(double quote), \ (backslash) and NULL
characters are escaped with a
backslash automatically. This is
identical to what addslashes() does.
Read more about it here: http://php.net/manual/en/security.magicquotes.php
To make your script aware of any value of the "magic_quotes_gpc" setting in php.ini, you can write your script like this:
$d = $_GET["d"];
if (get_magic_quotes_gpc()) $d = stripslashes($d);
echo $d; //but now you are kind of vulnerable to SQL injections
//if you don't properly escape this value in SQL queries.
You can easily fix this using the strip_slashes() function. You should avoid magic quotes; they've been deprecated for security reasons.
open .htaccess file and put something like this
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off