Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts

    How to escape the results of a comment form

    How would you escape characters like single ('') and double ("") quotes, back/forward slashes (/\),etc in the results of a comment form?
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #2
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    If you are inserting in to a MySQL database you can use mysql_real_escape_string().

  • #3
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Inigoesdr View Post
    If you are inserting in to a MySQL database you can use mysql_real_escape_string().
    I have used it. It adds the forward slashes but echoes them along with the comments. Maybe what I asked isn't exactly what I meant. I want to echo the comments as normal text. I don't want the backslashes echoed as well.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #4
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Issue resolved. Lol, I randomly remembered stripslashes(). Never used it before now but once I thought about my "problem", the name stripslashes just kinda made sense.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    No no, something else is wrong. You shouldn't have to stripslashes.
    I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:
    PHP Code:
    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        
    $input stripslashes($input);
    }
    $input mysql_real_escape_string($input); 
    For example. This only needs to be done on data provided through gpc, so anything from a user.

    Edit:
    Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.
    Last edited by Fou-Lu; 02-27-2012 at 10:39 PM.

  • #6
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Fou-Lu View Post
    No no, something else is wrong. You shouldn't have to stripslashes.
    I would presume you have magic_quotes_gpc enabled. This directive escapes the quotes for you, but it isn't sufficient for database insertions, nor do either magic_quotes or real_escape_string familiar with each other. You need to use stripslashes BEFORE you insert:
    PHP Code:
    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        
    $input stripslashes($input);
    }
    $input mysql_real_escape_string($input); 
    For example. This only needs to be done on data provided through gpc, so anything from a user.

    Edit:
    Aaahhh sorry I jumped to conclusions which I can't substantiate. I assumed you are executing stripslashes upon drawing the data from your query. As you can see I executed stripslashes before the insertion (which is what you should do). You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention. Stripslash before insertion, not during selection.
    so, stripslashes() is meant to strip slashes before a data insertion, not after if I understand you correct.
    If this is correct (and I don't doubt you are), then why does it say,"This function can be used to clean up data retrieved from a database or from an HTML form" on w3schools.com?

    You don't want to execute stripslashes upon query since if I planned to insert with \\ and magic_quotes_gpc disappears (and it will, its a matter of when not if), then when you stripslash say \\computer\path, it will end up being \computer\path, which is not the intention.
    This is for a comment box. Users will not be posting anything that has to do with links (and by links I assume \\computer\path could be used as one, if not then not sure of a word for this), including myself as I assume it could be a security flaw
    Last edited by elitis; 02-27-2012 at 11:18 PM.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Stripslashes was designed for just this. It doesn't matter whether its used before or after when it comes to function usage.

    W3schools hasn't a clue what they are doing if they suggest you stripslash retrieved data. They are not thinking ahead to the obvious issue with code that no longer has magic_quotes_gpc enabled. Stripslashes shouldn't be done if the intent isn't to strip the slashes, and with gpc disappearing very soon, querying from the database will result in unintended stripslashes.

    This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".

  • #8
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by felgall View Post
    You shouldn't need to escape quotes in data being passed into a database at all - you just need to use PDO or mysqli prepare and bind statements that keep the data separate from the query so that you don't need to escape the data to avoid it being confused with the SQL in the query.
    Correct, and this is my recommendation if you have the option available to you. Unfortunately, PDO and MySQLi are both newer PHP technologies as well as requiring certain version's of the DB's in use.
    Stipslashes will still have to happen until they get rid of GPC if its enabled. And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data (which would result in the identical behaviour the OP is having right now).

  • #10
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Fou-Lu View Post
    This is just a comment box too don't forget. If the comments are for something like programming, you'll see a lot of things that shouldn't be stripslashed such as "Why does this name show as O\'Neil?".
    The comment box is for a review type website, where users will comment on reviews, news, etc so nothing like programming.
    Here's the code I have. What specifically do I need to replace stripslashes with?

    PHP Code:
    <?php 
        
    //Reviews start
        
    $result mysql_query("SELECT * FROM `reviews` ORDER BY `date` DESC LIMIT 10");
        while(
    $row mysql_fetch_array($result))
        { 
        if (
    $_GET['id'] == $row['id'])
        {
        
    $date $row['date'];
        echo 
    stripslashes($row[title]); 
        echo 
    "<br />";
        echo 
    stripslashes($row[review]);
        echo 
    "<br />";
        echo 
    date("D, F jS"$date);
        echo 
    "<h1 class='centered'>Comments</h1>";
        }
        else 
        {
        echo 
    "<div class='box3'>";
        echo 
    stripslashes($row[title]);
        echo 
    "<br />";
        echo 
    stripslashes($row[description]);
        echo 
    "<br />";
        echo 
    date("D, F jS"$date);
        echo 
    "<a class='special' href=\"/reviews?id={$row['id']}\"> Read More...</a>";
        }
        
    //Reviews end
        
        //Comments start
        
    $result mysql_query("SELECT * FROM `comments` WHERE `category` = 'reviews' AND `subcategory` = '$row[id]' ORDER BY `date` DESC LIMIT 20");
        while(
    $comments mysql_fetch_array($result))
        {
        if (
    $_GET['id'] == $row['id'])
        {
        echo 
    "<br />";
        echo 
    "<div class='box'>";
        if (
    $comments['reply_to'] > 0)
      {
      
    $get_comment mysql_query("SELECT * FROM `comments` WHERE `id` = $comments[reply_to]");
      while(
    $r_comment mysql_fetch_array($get_comment))
      {
      echo 
    "<i>Originally posted by " .stripslashes($r_comment[username]). '</i>';
      echo 
    "<br />";
      echo 
    "<i> " .stripslashes($r_comment[comment]). '</i>';
      echo 
    "<br />";
      echo 
    "<i> " .Agotime($r_comment[date]). '</i>';
      echo 
    "<hr />";
      }
      }
        echo 
    stripslashes($comments[username]);
        echo 
    "<br />";
        echo 
    stripslashes($comments[comment]);
        echo 
    "<br />";
        echo 
    Agotime($comments['date']);
        echo 
    "<a class='special' href=\"/reviews?id={$row['id']}&reply={$comments['id']}\"> Reply</a>";
        
    //Replies start
        
    if ($_GET['reply'] == $comments['id']) 
        {
        echo 
    "
        <form action='/reviews/' method='POST'>
        <input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
        <br />
        <textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
        <input type='hidden' name='submitted' value='1' />
        <input type='hidden' name='reply' value=\"{$comments['id']}\" />
        <input class='specialbutton' type='submit' name='submit' value='Post Comment' />
        </form>"
    ;
        }
        echo 
    "<br />
        </div>"
    ;
        
    //Replies end
        
    }
        }
        if (
    $_GET['id'] == $row['id'])
        {
        echo 
    "
        <br />
        <div class='box'>
        <form action='/reviews/' method='POST'>
        <input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
        <br />
        <textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
        <input class='specialbutton' type='submit' name='submit' value='Post Comment' />
        <input type='hidden' name='submitted' value='1' />
        </form>
        </div>"
    ;
        }
        
    //Comments end
        
    $username mysql_real_escape_string($_POST['name']);
    $comment mysql_real_escape_string($_POST['comment']);
    $category "reviews";
    $subcategory $row['id'];
    $reply mysql_real_escape_string($_POST['reply']);

    if (
    $_POST['submitted'] == 1)
    {
    if (
    $username == ""
    {
    echo 
    "Name is a required field";
    exit();
    }
    if (
    $comment == "")
    {
    echo 
    "Comment is a required field";
    exit();
    }

    $sql="INSERT INTO `comments` (username, comment, date, category, subcategory, reply_to)
    VALUES
    ('$username','$comment', NOW(), '$category', '$subcategory', '$reply')"
    ;

    if (!
    mysql_query($sql))
      {
      die(
    'Error: ' mysql_error());
      }
    }
    }
    ?>
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #11
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Fou-Lu View Post
    C And to expand just slightly, its not that you shouldn't need to escape, its that you cannot escape as they will carry as a part of the data
    The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.

    With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #12
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Ok, so if I wanted to use Mysqli or PDO which version would I need? I currently have Mysql 5.0.90 and PHP 5.2.13.
    Edit: Nevermind...
    Last edited by elitis; 02-29-2012 at 01:32 AM.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #13
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by felgall View Post
    The purpose in escaping data when you output it is to avoid having it confused as part of something else - in this case SQL.

    With the SQL in the prepare statement and the data in the bind statement there is no possibility of the one being confused for the other and so no need to escape. It is not necessary and therefore there are no escape characters.
    You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).

    Quote Originally Posted by elitis View Post
    Ok, so if I wanted to use Mysqli or PDO which version would I need? I currently have Mysql 5.0.90 and PHP 5.2.13.
    Edit: Nevermind...
    That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.

  • #14
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Fou-Lu View Post
    You misunderstand. I was simply expanding on the wording you used; shouldn't isn't correct, it should be cannot (as in you can do it, but don't). Bound values that have been escaped will record as escaped, which will just repeat the vicious cycle as it is not needed to perform any type of escape. If you bind, do not escape (which is what I'm quite sure you were implying, but the wording was open for ambiguity).



    That version is sufficient so long as either PDO or MySQLi has been enabled. You can check the status of both in phpinfo(), or by using something like class_exists.
    Both PDO and MySQLi have been enabled.
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps

  • #15
    Regular Coder
    Join Date
    Sep 2010
    Posts
    331
    Thanks
    9
    Thanked 6 Times in 6 Posts
    Updated code: Is this right?

    PHP Code:
     <?php 
        
    //Reviews start
        
    $result mysql_query("SELECT * FROM `reviews` ORDER BY `date` DESC LIMIT 10");
        while(
    $row mysql_fetch_array($result))
        { 
        if (
    $_GET['id'] == $row['id'])
        {
        
    $date $row['date'];
        echo 
    $row['title']; 
        echo 
    "<br />";
        echo 
    $row['review'];
        echo 
    "<br />";
        echo 
    date("D, F jS"$date);
        echo 
    "<h1 class='centered'>Comments</h1>";
        }
        else 
        {
        echo 
    "<div class='box3'>";
        echo 
    $row['title'];
        echo 
    "<br />";
        echo 
    $row['description'];
        echo 
    "<br />";
        echo 
    date("D, F jS"$date);
        echo 
    "<a class='special' href=\"/reviews?id={$row['id']}\"> Read More...</a>";
        }
        
    //Reviews end
        
        //Comments start
        
    $result mysql_query("SELECT * FROM `comments` WHERE `category` = 'reviews' AND `subcategory` = '$row[id]' ORDER BY `date` DESC LIMIT 20");
        while(
    $comments mysql_fetch_array($result))
        {
        if (
    $_GET['id'] == $row['id'])
        {
        echo 
    "<br />";
        echo 
    "<div class='box'>";
        if (
    $comments['reply_to'] > 0)
      {
      
    $get_comment mysql_query("SELECT * FROM `comments` WHERE `id` = $comments[reply_to]");
      while(
    $r_comment mysql_fetch_array($get_comment))
      {
      echo 
    "<i><p>Originally posted by " .$r_comment[username]. '</p></i>';
      echo 
    "<i><p> " .$r_comment[comment]. '</p></i>';
      echo 
    "<i><p> " .Agotime($r_comment[date]). '</p></i>';
      echo 
    "<hr />";
      }
      }
        echo 
    "<p>" .$comments[username]. '</p>';
        echo 
    "<p>" .$comments[comment]. '</p>';
        echo 
    "<p>" .Agotime($comments[date]). '</p>';
        echo 
    "<a class='special' href=\"/reviews?id={$row['id']}&reply={$comments['id']}\"> Reply</a>";
        
    //Replies start
        
    if ($_GET['reply'] == $comments['id']) 
        {
        echo 
    "
        <form action='/reviews/' method='POST'>
        <input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
        <br />
        <textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
        <input type='hidden' name='submitted' value='1' />
        <input type='hidden' name='reply' value=\"{$comments['id']}\" />
        <input class='specialbutton' type='submit' name='submit' value='Post Comment' />
        </form>"
    ;
        }
        echo 
    "<br />
        </div>"
    ;
        
    //Replies end
        
    }
        }
        if (
    $_GET['id'] == $row['id'])
        {
        echo 
    "
        <br />
        <div class='box'>
        <form action='/reviews/' method='POST'>
        <input class='field' type='text' name='name' value='Name' required='required' onFocus=\"clearText(this)\" />
        <br />
        <textarea class='field' name='comment' rows='2' cols='55' required='required'></textarea>
        <input class='specialbutton' type='submit' name='submit' value='Post Comment' />
        <input type='hidden' name='submitted' value='1' />
        </form>
        </div>"
    ;
        }
        
    //Comments end
        
    [B]$username stripslashes(mysql_real_escape_string($_POST['name']));
    $comment stripslashes(mysql_real_escape_string($_POST['comment']));
    $category 'reviews';
    $subcategory $row['id'];
    $reply stripslashes(mysql_real_escape_string($_POST['reply']));[/B]

    if (
    $_POST['submitted'] == 1)
    {
    if (
    $username == ""
    {
    echo 
    "Name is a required field";
    exit();
    }
    if (
    $comment == "")
    {
    echo 
    "Comment is a required field";
    exit();
    }

    $sql="INSERT INTO `comments` (username, comment, date, category, subcategory, reply_to)
    VALUES
    ('$username','$comment', NOW(), '$category', '$subcategory', '$reply')"
    ;

    if (!
    mysql_query($sql))
      {
      die(
    'Error: ' mysql_error());
      }
    }
    }
    ?>
    Coding is a challenge, get used to it
    Always remember to debug
    Try the guess & check method
    Break it down into simple steps


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •