On Sun, Jul 12, 2009 at 6:32 PM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> Hi gang:
>
> I am top posting only to show that the following post makes no sense as to
> who said what.
>
> At what point here Zareef, did you think you were helping anyone? Or is
> this more of your "I'm going to do whatever I want" attitude?
>
As far as I understand the main problem was the original poster was "NOT
SEEING" slashes in the output from database after successful insertion (
with only single use of mysql_real_escape_string), so I put my 50 cent on
the magic quotes runtime..
(My understanding of the actual problem may be wrong thus the suggestion in
context)
I am sorry if I offended anyone ....
>
> I would hate to review code with such lack of forethought and consideration
> for others to read.
>
> tedd
>
> -- totally useless post follows:
>
>
> At 5:51 AM +0530 7/12/09, Zareef Ahmed wrote:
>
>> On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <<mailto:
>> hdedeyan@xxxxxxxxxxxx>hdedeyan@xxxxxxxxxxxx> wrote:
>>
>> On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
>>
>>> At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
>>>
>>> [1]
>>>
>>> >$fname = mysql_real_escape_string($fname);
>>> >$lname = mysql_real_escape_string($lname);
>>> >
>>> >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
>>> > id=$id"; $result = mysql_query($sql);
>>> >echo mysql_error() . "\n";
>>> >
>>> >This will result in the addition of the slashes.
>>>
>>> [2]
>>>
>>> >If I do the following, there are no slashes. Just wondering if I'm on
>>> the
>>> >right path with the 1st code set..
>>> >
>>> >$sql = "UPDATE phonedir SET fname =
>>> >'".mysql_real_escape_string($fname)."',lname =
>>> >'".mysql_real_escape_string($lname)."' WHERE id=$id";
>>> >$result = mysql_query($sql);
>>> >echo mysql_error() . "\n";
>>>
>>> Haig:
>>>
>>> Interesting, I did not know that -- that sounds like a bug to me --
>>> both should be the same.
>>>
>>> However, I commonly do [1] and when I have to display the data to a
>>> browser, then I use htmlentities() and stripslashes() before
>>> displaying the data. That way names like O'Brian appear correctly --
>>> else they appear 0\'Brian.
>>>
>>> Now maybe I'm doing something wrong, but this way works for me. If
>>> there is a better way, I would like to here it.
>>>
>>> Cheers,
>>>
>>> tedd
>>>
>>
>> Thanks Tedd.
>>
>> I did more testing and here's what I have found.
>>
>> @PHPSter - magic quotes are off
>>
>>
>> Just entering simple data where an apostrophe is part of the data.
>>
>> The following code is entering the slash but that's becuase I am escaping
>> it
>>
>>
>>
>>
>> twice since mysql_num_rows is throwing an error if an apostrophe is in its
>> search:
>>
>> 1 -
>> $new_fname = mysql_real_escape_string($new_fname);
>> $new_lname = mysql_real_escape_string($new_lname);
>>
>> $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname'
>> &&
>> lname = '$new_lname'");
>> $num_rows = mysql_num_rows($result);
>>
>>
>> The error message may be saying the mysql_num_rows is throwing an error
>> but actual error is on mysql_query function level (Not a correct query)
>>
>>
>> if($num_rows > 0)
>>
>> {
>> echo $fname." ".$lname." already exists";
>> }
>>
>> else
>> {
>>
>> mysql_query("INSERT INTO phonedir
>> (fname, lname)
>>
>> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
>> or die(mysql_error());
>>
>>
>> BTW twice escaping is not good
>>
>>
>>
>>
>> 2 - If I do the same code above without the mysql_num_rows and no
>> escaping,
>> the data doesn't get entered.
>>
>> I think this is normal behaviour.
>>
>> Welcome to hell of quotes :(
>>
>>
>>
>>
>>
>>
>> 3 - If I do any of the 2 following sets of code where there is 1 instance
>> of
>> escaping, the data gets entered with the apostrophe but I don't see any
>> back
>> slash entered.
>>
>> The part that I am concerned about is if I should be seeing the backslash
>> entered without having to double escape,
>>
>>
>> Please see magic_quotes_runtime setting configuration...
>> <
>> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
>> >
>> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime
>>
>> If it is enables it will automatically removed the slashes from any
>> external source including databases...
>> It was there to make the life of developer somewhat easier (!!!!)...
>> magic quotes things are deprecated and completely will be removed in PHP 6
>>
>>
>>
>> $new_fname = mysql_real_escape_string($new_fname);
>> $new_lname = mysql_real_escape_string($new_lname);
>>
>>
>> $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname'
>> &&
>> lname = '$new_lname'");
>> $num_rows = mysql_num_rows($result);
>>
>> if($num_rows > 0)
>>
>> {
>> echo $fname." ".$lname." already exists";
>> }
>>
>> else
>> {
>>
>> mysql_query("INSERT INTO phonedir
>> (fname, lname) VALUES('$new_fname','$new_lname')")
>> or die(mysql_error());
>>
>>
>>
>> or
>>
>>
>> mysql_query("INSERT INTO phonedir
>> (fname, lname)
>>
>> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
>> or die(mysql_error());
>>
>>
>>
>>
>> --
>> Zareef Ahmed :: A PHP Developer in India ( Delhi )
>> Homepage :: <http://www.zareef.net>http://www.zareef.net
>>
>
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net
