Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Mar 2006
    Posts
    478
    Thanks
    3
    Thanked 0 Times in 0 Posts

    used mysql_real_escape_string() but now when i echo the string i get \ in the text !

    i have been told i need to use mysql_real_escape_string() to prevent injections
    but since doing this i now get \ in the text, how do i stop this.

    thanks

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,037
    Thanks
    2
    Thanked 316 Times in 308 Posts
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Regular Coder
    Join Date
    Jun 2002
    Location
    Victoria, BC, Canada
    Posts
    962
    Thanks
    0
    Thanked 1 Time in 1 Post
    If you are about to add input to a database,then perform mysql_real_escape_string on it - that helps prevent SQL injection by escaping special characters (by preceding said characters with the backslash). So when later getting data from the database to display, do stripslashes on the data, which removes the backlashes and things will appear normally.

  • #4
    New Coder
    Join Date
    Jan 2008
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If your in need to add stripslashes to output your inserting the data into database the wrong way.
    You NEVER need to stipslash a database result.

    Your adding mysql_real_escape string into data that has been runned with magic_quotes that is by defaul on.
    magic_quotes has allready added slashes to post data.
    Check the latter script in this page.
    http://talks.php.net/show/php-best-practices/26

  • #5
    Regular Coder
    Join Date
    Dec 2007
    Location
    Nebraska
    Posts
    113
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Magic_quotes is insecure. It is vulnerable to manipulation of character sets. You should use stripslashes to defeat it and then use mysql_real_escape_string to securely escape output.

    PHP Code:
    function cleaner($data)
    {
        if(
    is_array($data))
        {
            
    $ret = array();
            foreach(
    $data as $key=>$value)
            {
                
    $ret[$key] = cleaner($value);
            }
            return 
    $ret;
        }
        else
        {
            if(!
    is_numeric($data))
            {
                if(
    get_magic_quotes_gpc())
                {
                    
    $data stripslashes($data);
                }
                
    $data mysql_real_escape_string($data);
            }
            return 
    $data;
        }
    }

    // use
    $pdata cleaner($_POST);
    // or 
    $name cleaner($_POST['name']); 
    This is a recursive function that will escape all string values in an array, no matter how deep they go. It can be used to escape an array derrived from multiple pages of form submissions (stored in a session for instance) or where array syntax is used for form elements. It will also handle single values.

    Don't bother running numbers through escaping and only run stripslashes if magic_quotes is enabled.

    Incidentally, escaping is solely for the benefit of the SQL parser. The parser needs to know what quotes denote the beginning and end of a string and which ones are part of the content. It is no different than doing...

    PHP Code:
    $tag "<a href=\"example.php\">Click Here</a>";
    echo 
    $tag
    On output, you don't see the slashes. They are there for the PHP parser for the same reason.

    Escaping done properly will not show up in the actual data.
    Deliver yesterday, code today, think tomorrow.

  • #6
    New to the CF scene
    Join Date
    Jul 2010
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    frustrated by mysql_real_escape_string cause \n to be stored in DB

    I am frustrated because using mysql_real_escape_string causes \n to be stored in the database.

    See example below that I extracted from a validator function used to build queries. The \n should not show up when echoing a php variable unless mysql_real_escape_string is using \\n to replace newline character.

    Vege If your in need to add stripslashes to output your inserting the data into database the wrong way.
    So what am I missing?

    Here is the actual function:
    PHP Code:
    function cleanValues($value)
    {
        
    $valuetrim($value);
        
    //undo slashes for poorly configured servers
        
    $value = (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) ? (stripslashes($value)) : ($value);
        
        
    //determine best method based on available extensions
        
    if (function_exists('mysql_real_escape_string')) 
        {
            
    $value mysql_real_escape_string($value);
        }
        else 
        {
            
    $value mysql_escape_string($value);
        }
        return 
    $value;

    Here is a similar script that illustrates the problem occurs right after
    PHP Code:
        $value mysql_real_escape_string($value); 
    .

    Example:

    PHP Code:
    <?php
    // Get config stuff and connect to DB
    require_once ( 'dirConfig.php' );


    $Text 
    "
    <p>Line 1</p>
    <p>Line 2</p>
    "
    ;

    echo 
    $Text."

    "
    ;

    $Texttrim($Text);
        
    //undo slashes for poorly configured servers
        
    $Text = (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) ? (stripslashes($Text)) : ($Text);
        
        
    //determine best method based on available extensions
        
    if (function_exists('mysql_real_escape_string')) 
        {
    echo 
    $Text."

    "
    ;
            
    $Text mysql_real_escape_string($Text);
        }
        else 
        {
            
    $Text mysql_escape_string($Text);
        }

    echo 
    $Text."

    "
    ;
    ?>
    Outputs

    Code:
     
    
    <p>Line 1</p> 
    <p>Line 2</p> 
     
     
    <p>Line 1</p> 
    <p>Line 2</p> 
     
    <p>Line 1</p>\n<p>Line 2</p>

  • #7
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Interesting test. But the real question is, when you insert the value that echos as <p>Line 1</p>\n<p>Line 2</p> into a table, and then select it back out, does it echo the same way?

  • #8
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    To answer my own question, I ran a couple of tests: When the data is inserted into the table, MySQL translates what echos as "\n" into an actual new line. When the data is then selected, it echos as a new line (not as a literal "\n").

    So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser.

  • #9
    New to the CF scene
    Join Date
    Jan 2011
    Posts
    7
    Thanks
    1
    Thanked 0 Times in 0 Posts

    mysql_real_escape_string() nl2br() \n

    Quote Originally Posted by Fumigator View Post
    To answer my own question, I ran a couple of tests: When the data is inserted into the table, MySQL translates what echos as "\n" into an actual new line. When the data is then selected, it echos as a new line (not as a literal "\n").

    So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser.
    You can use nl2br() if the data you have stored contains HTML output.

  • #10
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    You can use nl2br() if the data you have stored contains HTML output.
    Yeah sure but that wasn't the point.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •