Re: magic_quotes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/1/06, Johannes Lindenbaum <johannes@xxxxxxxxxxxxxx> wrote:

Hello,

without trying to embarrass myself, but....

Here the "smart quoting" function off php.net

|function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

 From that Idea I implemented that into my MySQL class:
    public function smartQuote( $string )
    {
        if( get_magic_quotes_gpc() == 1 ) {
            return stripslashes($string);
        }
        else {
            return mysql_real_escape_string($string);
        }
    }

I call up in in the following manner:
    $result    = $mysql->query("SELECT *
                            FROM [[prefix]]_users
                            WHERE name =
'".MySQL::smartQuote($_POST['username'])."'
                            AND password =
'".md5(MySQL::smartQuote($_POST['password']))."'
                            ");

Now, when magic_quotes is off and the user name is say Jingle'sBells -
it works fine, because mysql_real_escape_string() kicks in.
But if magic_quotes is on I get the error that something is invalid in
my SQL syntax near 'sBells' - because of could it would look like name =
'Jingle'sBells'

So I modified a little:
    public function smartQuote( $string )
    {
        if( get_magic_quotes_gpc() == 1 ) {
            return mysql_real_escape_string(stripslashes($string));
        }
        else {
            return mysql_real_escape_string($string);
        }
    }

That now works both with magic_quotes on and off for Inserts / Selects
etc. etc. (of course I have to call on MySQL::smartQuote() for each
value - but it's worth it. Or does my function defeat the point totally?
I did notice that with both magic_quotes On or Off data is inserted
correctly into the table as Jingle's Bells without slashes.

I was wondering if my above function is correct and the website's
documentation is off a little?

Regards,
Johannes

I'm grateful for any help.

|

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


    public function smartQuote( $string )
    {
        if( get_magic_quotes_gpc() == 1 ) {
            return stripslashes($string);
        }
        else {
            return mysql_real_escape_string($string);
        }
    }


You almost have it.  What you need to do is if magic quotes is on,
then stripslashes and apply mysql_real_escape_string.  If magic quotes
is off only apply mysql_real_escape_string since php didn't escape
values for you.

Also in your mysql_real_escape_string I would suggest adding the
second parameter to your connection.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux