stripslashes() ? That's lame and so 4.0. What's the 5.0 counterpart of mysqli::real_escape_string that strips all slashes added for SQL queries?
Got some other questions:
Tried to update a record and added a single quote in a text field, turns out phpMyAdmin escapes the string with single quotes instead of slashes - e.g. a single quote is escaped as '' (2 single quotes) instead of \' - what function is phpMyAdmin using or is it its own? So, mysql supports 2 approaches for escaping strings, namely slash and single quote?
Do I always have to unslash the string selected from mysql? Cause' you know it's slashed at insertion. But I thought I don't have to.
Any ideas, thanks!
If you don't want to go with PDO, and you are using mysqli, you should be using prepared statements, so you don't have to worry about escaping quotes with things like mysql_real_escape_string_i_mean_it_this_time.
More specifically, you can call mysqli->prepare to prepare your query. Call mysqli_stmt->bind_param to set the parameter values. And, call mysqli_stmt->execute to execute the query.
Use PDO instead of any of the mysql[i]/pgsql/... extensions.
If you're just looking to reverse the damage done by magic quotes, though, stripslashes() is exactly what you're looking for.
ini_set('magic_quotes_runtime', false);
Related
I'm running this exact query from PHP:
UPDATE commentedText SET title='ยง2.', content='<div class=\"pageParagraph\"><p>Test</p>\n</div>', last_changed='1430422172', image_banner_url='', active='', comments='[{"from":"0","to":"0","id":"1","CommentedText":"","comment":"New test with \"test\" :d"}]' WHERE id='5541d52beb2ea' AND appId='MyAppID' LIMIT 1
However when I read the row that was updated (either via PHP or MySQL Workbench), the slashes are gone. See for example
<div class=\"pageParagraph\"[..]
which is saved to the table as
<div class="pageParagraph"[..]
How come the slashes disappear?
They are disappearing before they even get to MySQL -- PHP is seeing the backslash as an escape for the double quote.
"\""
creates a string "
To keep the backslash use
"\\\""
The first escapes the second, and the third escapes the quote.
Mysql also uses backslash escapes for strings. So to use it in a query, you need to have it escaped yet again.
"\\\\\""
PHP's string will be \\"
Which in MySQL will create a string \"
Use proper escaping when dealing with queries. Applying things like addslashes() are easily defeated.
Depending on your library, mysql_real_escape_string(), mysqli_real_escape_string(), or best yet, prepared statements.
These methods of escaping will not modify the original data, so you don't have to worry about removing the escaping characters on render.
I use mysql_real_escape_string() before interting information in the database, but when I want to show the data from the database, ' is replaced with \'.
So how can I get rid of that backslash? Is there a function that reverses mysql_real_escape_string()?
There is NO [built-in] function to reverse mysql_real_escape_string.
If you have only quotes but not linebreaks escaped - it is not mysql_real_escape_string to blame.
Instead of stripping, you apparently have to make your code not to add them.
There are 2 possible reasons for the slashes to appear:
magic_quotes_gpc is turned on. Just turn it off.
some extra-wise-data-sanitize function in charge. Get rid of it.
Just to make sure: not whatever "information" but only strings (query parts enclosed in quotes) have to be escaped. For the any other query part escaping is useless and you have to find another way to protect them from SQL injection
You should off the magic_quotes although mysql_real_escape_string does not add any backslash in the database that it is used just to escape the string.
However you can use the stripslashes() to remove them but the more elegant solution is to off the magic_quotes
Okay, so say I have some user input that selects something from a mysql database.
I want to be safe from mysql injection so in order to do so I'd use the mysql_real_escape_string() function. But after that, I want the quote or whatever is bad from my string out of the variable completely.
EXAMPLE- :
my title variable = Herp'
escape with mysql_real_escape_string()....
then my variable = Herp\'
Now, I want the bad quote out of there. So, I want to remove the backslash & character after the backslash.. so it looks like 'Herp'.
How would I do that?
sorry if that's confusing.
If you just want to filter out quotes instead of escaping them, simply try
$myTitleVar = str_replace(array("'", '"'), '', $myTitleVar);
Before inserting it into the DB, I'd still recommend running it through mysql_real_escape_string() or even better, use PDO and parameter binding.
use stripslashes
but I would dig why that is happening. Check your magic quotes settings. For safety reasons is it good to have then set to off
I do not know where is the problem that I can not insert > and ( into my MySQL database.
I add a addslashes($str) but this still can leave the quote mark unescaped.
Is there any string functions that can solve my problem?
Don't use addslashes(), use...
mysql_real_escape_string()
Use it every time your interpolate outside strings into a query!
...or better still, use binded parameters with something like PDO.
By the way, there is no reason why > and ) wouldn't be inserted into your database that I can think of. They have no meaning inside of a string, unlike \.
I allow users to submit a question, and they should be able to have single quotes in their title.
Currently, if a title contains a single quote, it will submit properly.
$question->values($post_data); $question->save();
Any ideas on how I can set Kohana to escape that single quote / escape my information automatically? I would like to avoid having to addslashes() every input and removeslashes() every display...
Thank you so much, SO community!
(This question is crossposted at http://forum.kohanaframework.org/comments.php?DiscussionID=6525)
Actually, you should never use addslashes() to escape DB values at all. Especially not in Kohana, since values are "escaped" while being saved ( example you're giving is ORM one, you can always mess up a custom DB query to get a MySQL injection / broken query ).
If you don't want something to get escaped, wrap it in DB::expr() ( so it'll return an instance of Database_Expression, which doesn't get automatically escaped ).
To escape a value manually, use Database::quote() (not static, call it through your Database object, e.g. $db->quote($value) ).
But! Kohana has a problem with backticks (`). This is a system's symbol.
elseif(preg_match('/\`/', $value))//if a backtick
{
return str_replace('\'', '', $value);//'value'=>value!!!
}
return $this->escape($value);