Hi All,
Really need some help on that one:
I am running php + mssql + apache on windows xp.
Everyhting works fine apart from this..
I have users and password in mssql table.
Username or password can contain weird character as ' (single quote), ";" etc etc...
When trying to check if username is valid or not I am in trouble.
I tried to use the:
$newpostedusername=addslashes($_POST["username"]);
But this is not working in mssql
I also tried
$newpostedusername = str_replace("'", "''", $newpostedusername);
$newpostedusername = str_replace('"', "'+String.fromCharCode(34)+'", $newpostedusername);
but get an erro message as:
mssql_query(): message: Unclosed quotation mark before the character string 'USERNAME\'''. (severity 15) .
A current user name is sc' ..
How can i check this??
PLEASE HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
stef
Mssql Addslashes on login script
Moderator: General Moderators
mike at gyrate dot org wrote: please note that addslashes will NOT work with mssql, since mssql does not use the backslash character as an escape mechanism. just double your quotes instead. or use this:
Code: Select all
function mssql_addslashes($data) { $data = str_replace("'", "''", $data); return $data; }
Hey,
Susing Myke's example, the query runs properly.
Howver the user does not get access (not recognized)
I have a user in db with:
user:sc'
pass:sc'
The code used is:
$newpostedusername=$_POST["username"];
$newpostedusername = str_replace("'", "''", $newpostedusername);
blah blah slect...
The query returned is:
Query String = SELECT password from login where password='sc'''' and username='sc'''' .
As said above, this runs well but apprently the code is looking for a user called sc'' and not sc'.
stef
Susing Myke's example, the query runs properly.
Howver the user does not get access (not recognized)
I have a user in db with:
user:sc'
pass:sc'
The code used is:
$newpostedusername=$_POST["username"];
$newpostedusername = str_replace("'", "''", $newpostedusername);
blah blah slect...
The query returned is:
Query String = SELECT password from login where password='sc'''' and username='sc'''' .
As said above, this runs well but apprently the code is looking for a user called sc'' and not sc'.
stef
what does
yield?
Code: Select all
echo 'Magic quotes: '.(ini_get('magic_quotes_gpc') == '' ? 'Off' : 'On')."\n";when I ask a question I have a reason to do so. I didn't propose you to use magic quotes, I asked if you have them turned on or off. In general, portable code should look like this:
Code: Select all
//......
$newpostedusername = $_POST['username'];
$newpostedpassword = $_POST['password'];
if( get_magic_quotes_gpc() ) {
$newpostedusername = stripslashes($newpostedusername);
$newpostedpassword = stripslashes($newpostedpassword);
}
function mssql_escape($data) {
return str_replace("'", "''", $data);
}
//......
$query = "SELECT
password
from
login
where
password = '" . mssql_escape($newpostedpassword) . "'
and username='" . mssql_escape($newpostedpassword) . "'";