On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <hdedeyan@xxxxxxxxxxxx> wrote:
> On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
> > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
> >
> > [1]
> >
> > >$fname = mysql_real_escape_string($fname);
> > >$lname = mysql_real_escape_string($lname);
> > >
> > >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
> > > id=$id"; $result = mysql_query($sql);
> > >echo mysql_error() . "\n";
> > >
> > >This will result in the addition of the slashes.
> >
> > [2]
> >
> > >If I do the following, there are no slashes. Just wondering if I'm on
> the
> > >right path with the 1st code set..
> > >
> > >$sql = "UPDATE phonedir SET fname =
> > >'".mysql_real_escape_string($fname)."',lname =
> > >'".mysql_real_escape_string($lname)."' WHERE id=$id";
> > >$result = mysql_query($sql);
> > >echo mysql_error() . "\n";
> >
> > Haig:
> >
> > Interesting, I did not know that -- that sounds like a bug to me --
> > both should be the same.
> >
> > However, I commonly do [1] and when I have to display the data to a
> > browser, then I use htmlentities() and stripslashes() before
> > displaying the data. That way names like O'Brian appear correctly --
> > else they appear 0\'Brian.
> >
> > Now maybe I'm doing something wrong, but this way works for me. If
> > there is a better way, I would like to here it.
> >
> > Cheers,
> >
> > tedd
>
>
> Thanks Tedd.
>
> I did more testing and here's what I have found.
>
> @PHPSter - magic quotes are off
>
>
> Just entering simple data where an apostrophe is part of the data.
>
> The following code is entering the slash but that's becuase I am escaping
> it
>
> twice since mysql_num_rows is throwing an error if an apostrophe is in its
> search:
>
> 1 -
> $new_fname = mysql_real_escape_string($new_fname);
> $new_lname = mysql_real_escape_string($new_lname);
>
> $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
> lname = '$new_lname'");
> $num_rows = mysql_num_rows($result);
>
The error message may be saying the mysql_num_rows is throwing an error but
actual error is on mysql_query function level (Not a correct query)
>
> if($num_rows > 0)
>
> {
> echo $fname." ".$lname." already exists";
> }
>
> else
> {
>
> mysql_query("INSERT INTO phonedir
> (fname, lname)
>
> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
> or die(mysql_error());
>
>
>
BTW twice escaping is not good
>
>
>
> 2 - If I do the same code above without the mysql_num_rows and no escaping,
> the data doesn't get entered.
>
> I think this is normal behaviour.
>
> Welcome to hell of quotes :(
>
>
>
>
> 3 - If I do any of the 2 following sets of code where there is 1 instance
> of
> escaping, the data gets entered with the apostrophe but I don't see any
> back
> slash entered.
>
> The part that I am concerned about is if I should be seeing the backslash
> entered without having to double escape,
>
Please see magic_quotes_runtime setting configuration...
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
If it is enables it will automatically removed the slashes from any external
source including databases...
It was there to make the life of developer somewhat easier (!!!!)...
magic quotes things are deprecated and completely will be removed in PHP 6
>
> $new_fname = mysql_real_escape_string($new_fname);
> $new_lname = mysql_real_escape_string($new_lname);
>
>
> $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
> lname = '$new_lname'");
> $num_rows = mysql_num_rows($result);
>
> if($num_rows > 0)
>
> {
> echo $fname." ".$lname." already exists";
> }
>
> else
> {
>
> mysql_query("INSERT INTO phonedir
> (fname, lname) VALUES('$new_fname','$new_lname')")
> or die(mysql_error());
>
>
>
> or
>
>
> mysql_query("INSERT INTO phonedir
> (fname, lname)
>
> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
> or die(mysql_error());
>
>
>
--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net
