Hi gang:
I am top posting only to show that the following post makes no sense
as to who said what.
At what point here Zareef, did you think you were helping anyone? Or
is this more of your "I'm going to do whatever I want" attitude?
I would hate to review code with such lack of forethought and
consideration for others to read.
tedd
-- totally useless post follows:
At 5:51 AM +0530 7/12/09, Zareef Ahmed wrote:
On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan
<<mailto:hdedeyan@xxxxxxxxxxxx>hdedeyan@xxxxxxxxxxxx> wrote:
On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
[1]
>$fname = mysql_real_escape_string($fname);
>$lname = mysql_real_escape_string($lname);
>
>$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
> id=$id"; $result = mysql_query($sql);
>echo mysql_error() . "\n";
>
>This will result in the addition of the slashes.
[2]
>If I do the following, there are no slashes. Just wondering if I'm on the
>right path with the 1st code set..
>
>$sql = "UPDATE phonedir SET fname =
>'".mysql_real_escape_string($fname)."',lname =
>'".mysql_real_escape_string($lname)."' WHERE id=$id";
>$result = mysql_query($sql);
>echo mysql_error() . "\n";
Haig:
Interesting, I did not know that -- that sounds like a bug to me --
both should be the same.
However, I commonly do [1] and when I have to display the data to a
browser, then I use htmlentities() and stripslashes() before
displaying the data. That way names like O'Brian appear correctly --
else they appear 0\'Brian.
Now maybe I'm doing something wrong, but this way works for me. If
there is a better way, I would like to here it.
Cheers,
tedd
Thanks Tedd.
I did more testing and here's what I have found.
@PHPSter - magic quotes are off
Just entering simple data where an apostrophe is part of the data.
The following code is entering the slash but that's becuase I am escaping it
twice since mysql_num_rows is throwing an error if an apostrophe is in its
search:
1 -
$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);
$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);
The error message may be saying the mysql_num_rows is throwing an
error but actual error is on mysql_query function level (Not a
correct query)
if($num_rows > 0)
{
echo $fname." ".$lname." already exists";
}
else
{
mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());
BTW twice escaping is not good
2 - If I do the same code above without the mysql_num_rows and no escaping,
the data doesn't get entered.
I think this is normal behaviour.
Welcome to hell of quotes :(
3 - If I do any of the 2 following sets of code where there is 1 instance of
escaping, the data gets entered with the apostrophe but I don't see any back
slash entered.
The part that I am concerned about is if I should be seeing the backslash
entered without having to double escape,
Please see magic_quotes_runtime setting configuration...
<http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
If it is enables it will automatically removed the slashes from any
external source including databases...
It was there to make the life of developer somewhat easier (!!!!)...
magic quotes things are deprecated and completely will be removed in PHP 6
$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);
$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);
if($num_rows > 0)
{
echo $fname." ".$lname." already exists";
}
else
{
mysql_query("INSERT INTO phonedir
(fname, lname) VALUES('$new_fname','$new_lname')")
or die(mysql_error());
or
mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());
--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: <http://www.zareef.net>http://www.zareef.net
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php