in your php.ini file what is the value of:
magic_quotes_gpc?
(hint: should be off, if it is on, then you are add slashes twice...)
-Brad
afan@xxxxxxxx wrote:
ok. I just made one test and if you can then explain something to me:
I entered in form (textarea)
afan's "crazy" web
and stored in db using mysql-real_escape_string().
in DB, it's stored with slashes:
afan\'s \"crazy\" web
Then I pulled that from DB on three different ways:
$query = mysql_query("select test from dbtest where rec_id = 5");
$result = mysql_fetch_array($query);
echo $result['gen_value']; // gives afan\'s \"crazy\" web
echo stripslashes($result['gen_value']); // gives afan's "crazy" web
echo htmlentities($result['gen_value']); // gives afan\'s \"crazy\" web
if stripslashes() is not correcct to use - what then?!?
-afan
afan@xxxxxxxx wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and
strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to
add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is "filter" for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
<a href=index.php?action=add&rec_id=$rec_id>Add new</a>
<a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
<a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
and was doing this way:
#index.php
<?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?>
it means that $action I will never store in DB, neither show on screen.
I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
