 |
 |
Find a programming school near you
php-general | 2001122
Date: 12/19/01
- Next message: Carlos Fernando Scheidecker Antunes: "[PHP] Help on dealing with arrays of HTTP_POST vars"
- Previous message: LaserJetter: "[PHP] dns"
- In reply to: TD - Sales International Holland B.V.: "Re: [PHP] addslash/stripslashes"
- Next in thread: Martin Towell: "RE: [PHP] addslash/stripslashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> On Wednesday 19 December 2001 13:12, you wrote:
>
> "test\"" === 'test"' evals true :-)
> what I don't get however, the second the var is set like
> $string = "escaping \" quotes";
> the backslash dissapears in the variable. The backslash is no longer there
> thus so having the statement
>
> mysql_query("insert into table values(\"$string\")");
> would be interpreted:
> mysql_query("insert into table values(\"test"\")");
> in which case the quote shouldn't appear in the database cause it will see
> that as delimiter of the first one, however I think the mysql_query fixes
> this by adding a backslash to it which is interpreted by mysql again cause
> it
> doesn't store the backslash. The only problem i still have is HTML. If i
> insert quotes into a field and retrieve them for my form like this:
> <INPUT TYPE=TEXT NAME="name" VALUE="$string">
> the value will stop at the first quote in the string dropping the rest on
> the
> floor since it doesn't recognize is (most likely) as a tag. So there an
> exploit there (only HTML/Javascript though not PHP) since you could insert a
> field like
> value"><script bla bla bla insert your favorite site mess'm'upper javascript
> here></script><!-- --
>
> so i need to fix that. otherwise it goes fine. normally i'd understand this
> perfectly but with all these magic quotes and the mysql functions
> appearantly
> adding the backslashes for escaping and PHP automatically type casting of
> variables it has become vague as hell to me :/
>
> thanks for the help so far people, the sky is finally clearing up :-)
>
Where possible, I'll use single quoting to avoid chasing down silly escape
errors:
mysql_query("insert into table values('$string')");
Try it. Makes life easier.
Regards,
-- Don Read dread <email protected> -- It is necessary for me to learn from others' mistakes. I will not live long enough to make them all by myself.-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribe <email protected> For additional commands, e-mail: php-general-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Carlos Fernando Scheidecker Antunes: "[PHP] Help on dealing with arrays of HTTP_POST vars"
- Previous message: LaserJetter: "[PHP] dns"
- In reply to: TD - Sales International Holland B.V.: "Re: [PHP] addslash/stripslashes"
- Next in thread: Martin Towell: "RE: [PHP] addslash/stripslashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
