|  | Posted by Petzo on 05/16/05 16:23 
Thanks for the reply
 from 1 to 4 I do the same.I havent wrote it here so that my sample to be
 more short
 
 whhat i didn't get from your reply was that part:
 > For data that comes from SQL sources:
 > 1. check magic_quotes_runtime PHP setting...
 
 so what do you do if that setting is on/off
 (in my case it is off)
 
 Milen
 
 
 "Bostjan Skufca @ domenca.com" <bostjan.skufca@domenca.com> wrote in message
 news:200505161423.06441.bostjan.skufca@domenca.com...
 > I do the following way to achieve portability:
 >
 > For GET/POST/COOKIE variables:
 > 1. check "magic_quotes_gpc" PHP setting - if enabled strip slashes from
 input
 > variables using stripslashes()
 > 2. check input/anything
 > 3. prior building SQL query escape stuff (mysql -
 mysql_real_escape_string(),
 > others use different escaping methods)
 > 4. run query
 >
 > For data that comes from SQL sources:
 > 1. check magic_quotes_runtime PHP setting...
 >
 >
 > On Monday 16 May 2005 10:32, Petzo wrote:
 > > Hi,
 > >
 > >     My question is about the norlmal behaviour of PHP and MYSQL but I
 cant
 > > explain it without a simple example. Thank you for reading:
 > >
 > >     I have the following code:
 > > --------------------------------------------------------------------
 > > <?php
 > > print $t = $_POST['txt'];
 > > print $t = addslashes($t);
 > >
 > >    @ $db = mysql_pconnect(xxx,xxx,xxx);
 > >    mysql_select_db('test');
 > >
 > >    $q = "update ttable set ffield='$t'";
 > >    mysql_query($q);
 > >
 > >    $q = "select * from ttable";
 > >    $result = mysql_query($q);
 > >    $bo = mysql_fetch_array($result);
 > >
 > > print $t = $bo['ffield'];
 > > print $t = stripslashes($t);
 > > ?>
 > > --------------------------------------------------------------------
 > >
 > >
 > > from a HTML form I send variable:
 > > --------------------------------------------------------------------
 > > ' \ \' \\ \\\
 > > --------------------------------------------------------------------
 > >
 > > after addshashes it becomes:
 > > --------------------------------------------------------------------
 > > \' \\ \\\' \\\\ \\\\\\
 > > --------------------------------------------------------------------
 > >
 > > after that it gets in the database
 > >
 > > but after I get it out it becomes:
 > > --------------------------------------------------------------------
 > > ' \ \' \\ \\\
 > > --------------------------------------------------------------------
 > > (without the backslashes!)
 > >
 > > and ofcourse after stripslashes it gets messed-up:
 > > --------------------------------------------------------------------
 > > ' ' \ \
 > > --------------------------------------------------------------------
 > >
 > > So my question is if this is a normal behaviour for PHP+MYSQL or it may
 > > vary indifferent conficurations or versions of both php or mysql.
 > > It's not a bad thing to be like that but I wonder if my code will behave
 > > the same at most systems.
 > >
 > > Thank you very much
 >
 > --
 > Best regards,
 >
 > Bostjan Skufca
 > system administrator
 >
 > Domenca d.o.o.
 > Phone: +386 4 5835444
 > Fax: +386 4 5831999
 > http://www.domenca.com
  Navigation: [Reply to this message] |