2009/7/12 Haig Dedeyan <hdedeyan@xxxxxxxxxxxx> > On July 11, 2009 08:21:34 pm Haig Dedeyan wrote: > > On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <hdedeyan@xxxxxxxxxxxx> > wrote: > > > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: > > > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: > > > > > > > > [1] > > > > > > > > >$fname = mysql_real_escape_string($fname); > > > > >$lname = mysql_real_escape_string($lname); > > > > > > > > > >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE > > > > > id=$id"; $result = mysql_query($sql); > > > > >echo mysql_error() . "\n"; > > > > > > > > > >This will result in the addition of the slashes. > > > > > > > > [2] > > > > > > > > >If I do the following, there are no slashes. Just wondering if I'm > on > > > > > > the > > > > > > > >right path with the 1st code set.. > > > > > > > > > >$sql = "UPDATE phonedir SET fname = > > > > >'".mysql_real_escape_string($fname)."',lname = > > > > >'".mysql_real_escape_string($lname)."' WHERE id=$id"; > > > > >$result = mysql_query($sql); > > > > >echo mysql_error() . "\n"; > > > > > > > > Haig: > > > > > > > > Interesting, I did not know that -- that sounds like a bug to me -- > > > > both should be the same. > > > > > > > > However, I commonly do [1] and when I have to display the data to a > > > > browser, then I use htmlentities() and stripslashes() before > > > > displaying the data. That way names like O'Brian appear correctly -- > > > > else they appear 0\'Brian. > > > > > > > > Now maybe I'm doing something wrong, but this way works for me. If > > > > there is a better way, I would like to here it. > > > > > > > > Cheers, > > > > > > > > tedd > > > > > > Thanks Tedd. > > > > > > I did more testing and here's what I have found. > > > > > > @PHPSter - magic quotes are off > > > > > > > > > Just entering simple data where an apostrophe is part of the data. > > > > > > The following code is entering the slash but that's becuase I am > escaping > > > it > > > > > > > > > > > > > > > twice since mysql_num_rows is throwing an error if an apostrophe is in > > > its search: > > > > > > 1 - > > > $new_fname = mysql_real_escape_string($new_fname); > > > $new_lname = mysql_real_escape_string($new_lname); > > > > > > $result = mysql_query("SELECT * FROM phonedir WHERE fname = > '$new_fname' > > > && lname = '$new_lname'"); > > > $num_rows = mysql_num_rows($result); > > > > The error message may be saying the mysql_num_rows is throwing an error > but > > actual error is on mysql_query function level (Not a correct query) > > > > > if($num_rows > 0) > > > > > > { > > > echo $fname." ".$lname." already exists"; > > > } > > > > > > else > > > { > > > > > > mysql_query("INSERT INTO phonedir > > > (fname, lname) > > > > > > > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st > > >ring($new_lname)."')") or die(mysql_error()); > > > > BTW twice escaping is not good > > > > > 2 - If I do the same code above without the mysql_num_rows and no > > > escaping, the data doesn't get entered. > > > > > > I think this is normal behaviour. > > > > > > Welcome to hell of quotes :( > > > > > > > > > > > > > > > > > > > > > 3 - If I do any of the 2 following sets of code where there is 1 > instance > > > of > > > escaping, the data gets entered with the apostrophe but I don't see any > > > back > > > slash entered. > > > > > > The part that I am concerned about is if I should be seeing the > backslash > > > entered without having to double escape, > > > > Please see magic_quotes_runtime setting configuration... > > > http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtim > >e > > > > If it is enables it will automatically removed the slashes from any > > external source including databases... > > It was there to make the life of developer somewhat easier (!!!!)... > > magic quotes things are deprecated and completely will be removed in PHP > 6 > > > > > $new_fname = mysql_real_escape_string($new_fname); > > > $new_lname = mysql_real_escape_string($new_lname); > > > > > > > > > $result = mysql_query("SELECT * FROM phonedir WHERE fname = > '$new_fname' > > > && lname = '$new_lname'"); > > > $num_rows = mysql_num_rows($result); > > > > > > if($num_rows > 0) > > > > > > { > > > echo $fname." ".$lname." already exists"; > > > } > > > > > > else > > > { > > > > > > mysql_query("INSERT INTO phonedir > > > (fname, lname) VALUES('$new_fname','$new_lname')") > > > or die(mysql_error()); > > > > > > > > > > > > or > > > > > > > > > mysql_query("INSERT INTO phonedir > > > (fname, lname) > > > > > > > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st > > >ring($new_lname)."')") or die(mysql_error()); > > > > Thansk Zareef. > > > Magic quotes are off. This is what my php ini says: > > > ; Magic quotes for incoming GET/POST/Cookie data. > magic_quotes_gpc = Off > > > ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), > etc. > magic_quotes_runtime = Off > > > ; Use Sybase-style magic quotes (escape ' with '' instead of \'). > magic_quotes_sybase = Off > > This is fine, But just for final confirmation of actual values at the runtime can you try to get the value of function get_magic_quotes_runtime function in your script. var_dump(get_magic_quotes_runtime); possibility of using a different php.ini or modifying values of variables at runtime is also there :) > > > > I won;t be using 2x escapes but I just need to know if I should be seeing > the backslash in the dbase. > > > > > @Tedd - I will be looking into prepared statements eventually but I still > want to understand escaping. > > > Cheers > > > Haig > -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net