php mysql retain \ in data typed

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cjkeane
Forum Contributor
Posts: 217
Joined: Fri Jun 11, 2010 1:17 pm

php mysql retain \ in data typed

Post by cjkeane »

hi everyone.

i'm trying to figure out how to retain slashes typed in form fields which are saved into a mysql database.
for e.g. if \\ is typed, \\ is saved. if \ is typed, \ is saved.

i'm stumped. any helpful hints?

Code: Select all

<?php
function safe($var){ 
   
        $pattern = '/&(#)?[a-zA-Z0-9]{0,};/'; 
        
        if (is_array($var)) {    // If variable is an array 
            $out = array();      // Set output as an array 
            foreach ($var as $key => $v) {      
                $out[$key] = safe($v);         // Run formspecialchars on every element of the array and return the result. Also maintains the keys. 
            } 
        } else { 
            $out = $var; 
            while (preg_match($pattern,$out) > 0) { 
                $out = htmlspecialchars_decode($out,ENT_QUOTES);       
            }                             
            $out = htmlspecialchars(mysql_real_escape_string(trim($out)), ENT_QUOTES,'UTF-8',true);     
            
        } 
      
        return $out; 

}


?>
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: php mysql retain \ in data typed

Post by Jonah Bron »

8O

For a string, mysql_real_escape_string() by itself is quite sufficient. And htmlspecialchars() is for output, not input.
cjkeane
Forum Contributor
Posts: 217
Joined: Fri Jun 11, 2010 1:17 pm

Re: php mysql retain \ in data typed

Post by cjkeane »

thanks for the insight. i'm now using the following:

Code: Select all

<?php
function safe($str) 
{ 
$str = trim(htmlentities(strip_tags($str))); 
if(get_magic_quotes_gpc()) 
$str = stripslashes($str); 
$str = mysql_real_escape_string($str); 
return $str; 
}  
?>
and on the form side of things:

Code: Select all

<?php
 	$FullName = safe($_POST['FullName']);
?>
as the initial value of the form field, i have

Code: Select all

<?php echo $FullName; ?>
when data is saved and echo'd back, i am still having \ duplicated. do you have any further insight for me?

thanks.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: php mysql retain \ in data typed

Post by Jonah Bron »

Here's what you do.

This is how you get the POST data.

Code: Select all

$FullName = $_POST['FullName'];
Here is how you save it to a database.

Code: Select all

mysql_query('query here "' . mysql_real_escape_string($FullName) . '"');
And this is how you output it:

Code: Select all

htmlspecialchars($FullName);
mysql_real_escape_string() is meant to stop SQL injection. Htmlspecialchars is meant to stop Cross-Site-Scripting (XSS). For this situation, you don't need anything else. If you want to trim() it, that's fine, but it doesn't make your application more secure. If you want to strip HTML tags, you can do that if you want. That's for if you don't want any HTML in the string.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: php mysql retain \ in data typed

Post by social_experiment »

cjkeane wrote:when data is saved and echo'd back, i am still having \ duplicated. do you have any further insight for me?
stripslashes() would remove the extra slash.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: php mysql retain \ in data typed

Post by Apollo »

cjkeane wrote:thanks for the insight. i'm now using the following:

Code: Select all

<?php
function safe($str) 
{ 
...etc
It's been more or less pointed out already, but if you use one generic "safe" function like this, you're making a big (but common) mistake. Strings from or for exactly WHAT are supposed to be made safe here??

Consider this: Stripping tags from input (GET or POST) strings, or escaping strings to put them in SQL queries, or convertings special characters to html entities to put them in HTML output, are three completely different things.
Post Reply