...

View Full Version : used mysql_real_escape_string() but now when i echo the string i get \ in the text !



jasonc310771
01-09-2008, 02:44 PM
i have been told i need to use mysql_real_escape_string() to prevent injections
but since doing this i now get \ in the text, how do i stop this.

thanks

CFMaBiSmAd
01-09-2008, 02:57 PM
http://www.php.net/manual/en/function.stripslashes.php

Grant Palin
01-10-2008, 05:52 AM
If you are about to add input to a database,then perform mysql_real_escape_string on it - that helps prevent SQL injection by escaping special characters (by preceding said characters with the backslash). So when later getting data from the database to display, do stripslashes on the data, which removes the backlashes and things will appear normally.

Vege
01-13-2008, 06:00 PM
If your in need to add stripslashes to output your inserting the data into database the wrong way.
You NEVER need to stipslash a database result.

Your adding mysql_real_escape string into data that has been runned with magic_quotes that is by defaul on.
magic_quotes has allready added slashes to post data.
Check the latter script in this page.
http://talks.php.net/show/php-best-practices/26

hammer65
01-15-2008, 03:18 PM
Magic_quotes is insecure. It is vulnerable to manipulation of character sets. You should use stripslashes to defeat it and then use mysql_real_escape_string to securely escape output.



function cleaner($data)
{
if(is_array($data))
{
$ret = array();
foreach($data as $key=>$value)
{
$ret[$key] = cleaner($value);
}
return $ret;
}
else
{
if(!is_numeric($data))
{
if(get_magic_quotes_gpc())
{
$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
}
return $data;
}
}

// use
$pdata = cleaner($_POST);
// or
$name = cleaner($_POST['name']);


This is a recursive function that will escape all string values in an array, no matter how deep they go. It can be used to escape an array derrived from multiple pages of form submissions (stored in a session for instance) or where array syntax is used for form elements. It will also handle single values.

Don't bother running numbers through escaping and only run stripslashes if magic_quotes is enabled.

Incidentally, escaping is solely for the benefit of the SQL parser. The parser needs to know what quotes denote the beginning and end of a string and which ones are part of the content. It is no different than doing...



$tag = "<a href=\"example.php\">Click Here</a>";
echo $tag;


On output, you don't see the slashes. They are there for the PHP parser for the same reason.

Escaping done properly will not show up in the actual data.

firemankurt
07-18-2010, 08:52 PM
I am frustrated because using mysql_real_escape_string causes \n to be stored in the database.

See example below that I extracted from a validator function used to build queries. The \n should not show up when echoing a php variable unless mysql_real_escape_string is using \\n to replace newline character.


Vege If your in need to add stripslashes to output your inserting the data into database the wrong way.

So what am I missing?

Here is the actual function:


function cleanValues($value)
{
$value= trim($value);
//undo slashes for poorly configured servers
$value = (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) ? (stripslashes($value)) : ($value);

//determine best method based on available extensions
if (function_exists('mysql_real_escape_string'))
{
$value = mysql_real_escape_string($value);
}
else
{
$value = mysql_escape_string($value);
}
return $value;
}


Here is a similar script that illustrates the problem occurs right after

$value = mysql_real_escape_string($value);.

Example:


<?php
// Get config stuff and connect to DB
require_once ( 'dirConfig.php' );


$Text =
"
<p>Line 1</p>
<p>Line 2</p>
";

echo $Text."

";

$Text= trim($Text);
//undo slashes for poorly configured servers
$Text = (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) ? (stripslashes($Text)) : ($Text);

//determine best method based on available extensions
if (function_exists('mysql_real_escape_string'))
{
echo $Text."

";
$Text = mysql_real_escape_string($Text);
}
else
{
$Text = mysql_escape_string($Text);
}

echo $Text."

";
?>

Outputs




<p>Line 1</p>
<p>Line 2</p>


<p>Line 1</p>
<p>Line 2</p>

<p>Line 1</p>\n<p>Line 2</p>

Fumigator
07-19-2010, 04:20 PM
Interesting test. But the real question is, when you insert the value that echos as <p>Line 1</p>\n<p>Line 2</p> into a table, and then select it back out, does it echo the same way?

Fumigator
07-19-2010, 04:34 PM
To answer my own question, I ran a couple of tests: When the data is inserted into the table, MySQL translates what echos as "\n" into an actual new line. When the data is then selected, it echos as a new line (not as a literal "\n").

So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser.

OpenCode
02-06-2011, 04:06 AM
To answer my own question, I ran a couple of tests: When the data is inserted into the table, MySQL translates what echos as "\n" into an actual new line. When the data is then selected, it echos as a new line (not as a literal "\n").

So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser.

You can use nl2br() if the data you have stored contains HTML output.

Fumigator
02-07-2011, 03:09 AM
You can use nl2br() if the data you have stored contains HTML output.

Yeah sure but that wasn't the point. :rolleyes:



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum