's Foot

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

's Foot

Post by Mightywayne »

Sorry, I don't have a better name for the topic. I have no idea what to call the problem.

What's happening is I'm trying to insert the word "Rabbit's Foot" into the database, and it's giving me an SQL error saying it can't insert "s foot" into the DB.

Every option I've tried makes it have a / in the database, which I don't want.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

The apostrophe is prematurely terminating the string literal inside the query. Run user input through mysql_real_escape_string() before placing it into the query.
Daron
Forum Newbie
Posts: 11
Joined: Tue Oct 09, 2007 4:50 pm

Post by Daron »

Just a thought, would a \' work? Also, if I understand PHP correctly, if you use a " you can add a ' within it. Seriously, it would help if you posted the code that fails it unless you're directly adding it through a CLI in which case this topic may be in the wrong forum. I could be wrong altogether as I come to PHP from a Python background where quotes do very interesting things.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Daron wrote:Just a thought, would a \' work?
That's what mysql_real_escape_string() does.
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

I see. I wasn't aware that it magically stripped the slashes from the input. I thought what I saw as output was true. Thanks folks!
Daron
Forum Newbie
Posts: 11
Joined: Tue Oct 09, 2007 4:50 pm

Post by Daron »

But a \ is so much quicker :lol:
Seriously though, I believe we were writing at the same time, it just took me two minutes longer to hit post.
More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Daron wrote:More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even addslashes() which only adds '\' on quotation marks and apostrophes.
Daron
Forum Newbie
Posts: 11
Joined: Tue Oct 09, 2007 4:50 pm

Post by Daron »

Mightywayne wrote:I see. I wasn't aware that it magically stripped the slashes from the input. I thought what I saw as output was true. Thanks folks!
That's pretty typical with any programming language. You have to escape your literals. Mircrosoft seems to have ruined many into thinking that it was literal when using \. In any language I've ever seen, in order to get a \ to be counted as literal, you need to do a \\. That's just in case you didn't know, otherwise I'm just assuming too much.
superdezign wrote:
Daron wrote: More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even addslashes() which only adds '\' on quotation marks and apostrophes.
Thanks, I'll have to look into those.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

mysql_real_escape_string() is favored over the other functions. It is much more thourough than adding a slash '\" or using addslashes().
Daron
Forum Newbie
Posts: 11
Joined: Tue Oct 09, 2007 4:50 pm

Post by Daron »

Everah wrote:mysql_real_escape_string() is favored over the other functions. It is much more thourough than adding a slash '" or using addslashes().
Well,
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
that's enough for me to use it. Thanks.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Daron wrote:Well,
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
that's enough for me to use it. Thanks.
And here are some examples of the said exceptions: http://www.webappsec.org/projects/articles/091007.shtml (shameless, yet relevant plug ;) )
Post Reply