PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Sep 25, 2020 6:44 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Wed Sep 28, 2011 11:34 pm 
Offline
Forum Newbie

Joined: Mon Feb 07, 2011 4:36 am
Posts: 20
This seems really basic, but I'm having some trouble getting my mind around mysql_real_escape_string. The main thing I'm having trouble with is how to handle the escaped content. For example...
Syntax: [ Download ] [ Hide ]
$comment = "You're awesome";
$comment = mysql_real_escape_string($comment);
echo $comment;
 

The result is of course "You\'re awesome". My question is, how do you safely display the comment without the "\". I could do a string replace, but wouldn't that just undo what the escape_string did?

I'm sure I'm missing something obvious. Any advice is appreciated! Thanks!!


Top
 Profile  
 
PostPosted: Wed Sep 28, 2011 11:50 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
I'm not sure if it's just an example for the question, or how you are actually writing you code, but if its the latter, mysql_real_escape_string() function is the wrong tool for the job. If you want to strip the slashes from a string, you should consider using stripslashes().

Please note that the mysql_real_escape_string function is for escaping data before entry into a mysql database and that if you are working with mysql databases, you should really use the mysqli extension instead.. If you want to escape data before displaying in html, consider using htmlspecialchars() and html_entities().


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 1:15 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Here is how I program: A variable always holds the raw string. I only use mysql_real_escape_string() when using it in a query, and only use htmlspecialchars() when outputting it to the browser.

Syntax: [ Download ] [ Hide ]
$strData = "This isn't left & that isn't \"right\" (correct)';

$SQL = 'UPDATE `tblData` SET `myField` = "
' . mysql_real_escape_string($strData) .'" WHERE `key`=33';

SQL statement will be
Syntax: [ Download ] [ Hide ]
UPDATE `tblData` SET `myField` = "This isn\'t left & that isn't \"right\" (correct)" WHERE `key`=33

Syntax: [ Download ] [ Hide ]
echo 'Here is Greg's Quote: <br />' , htmlspecialchars($strData);

ECHOs (second line):
Syntax: [ Download ] [ Hide ]
This isn't left &amp; that isn't &quot;right&quot; (correct)


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 4:54 am 
Offline
Forum Newbie

Joined: Mon Feb 07, 2011 4:36 am
Posts: 20
Perfect! I think htmlspecialchars is what I was looking for. Thanks so much for the quick replies!!


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 5:30 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Imagine every function you call like a tender baloon of different material and imagine the parameters you pass to it like objects dumped in the baloon.
Some baloons can be popped by sharp objects, so you need to wrap them with cotton.
Some baloons can be popped by hot objects, so you must first cool them.

To step back from the metaphor:
You must escape every datum you pass to certain functions and different functions have different means to do so.
You must not escape the data twice hoping that it will make it ready for using in two of these functions. Instead, use different copies of the data, escaping each one in its special way before giving it to a dangerous functions.
The two most dangerous functions are database queries, mysql_query in your case and HTML output - echo, print and <?=$var?>
There are others, and the best way to learn is to read the documentation on each function you use and check for possible security concerns.
For mysql_query, you mostly use mysql_real_escape_string. Read the article on SQL injection in my sig on when you need other things to use.
For html output, htmlspecialchars(), but there's a trick to it.

The problem with htmlspecialchars() is that it is insecure by default. There are many things, security-wise, that PHP developers have screwed up and this is among the top.
You must always call it with ENT_QUOTES as a second parameter, and the correct encoding as the third.


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 7:15 am 
Offline
Forum Regular
User avatar

Joined: Wed Apr 30, 2008 2:34 am
Posts: 794


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 7:24 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
If you consistently use double quotes for attribute values then it's okay. People usually don't and the standard allows it, so it's ridiculous not to have this by default.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group