Posted by Petzo on 05/16/05 16:23

Thanks for the reply

from 1 to 4 I do the same.I havent wrote it here so that my sample to be
more short

whhat i didn't get from your reply was that part:
> For data that comes from SQL sources:
> 1. check magic_quotes_runtime PHP setting...

so what do you do if that setting is on/off
(in my case it is off)

Milen


"Bostjan Skufca @ domenca.com" <bostjan.skufca@domenca.com> wrote in message
news:200505161423.06441.bostjan.skufca@domenca.com...
> I do the following way to achieve portability:
>
> For GET/POST/COOKIE variables:
> 1. check "magic_quotes_gpc" PHP setting - if enabled strip slashes from
input
> variables using stripslashes()
> 2. check input/anything
> 3. prior building SQL query escape stuff (mysql -
mysql_real_escape_string(),
> others use different escaping methods)
> 4. run query
>
> For data that comes from SQL sources:
> 1. check magic_quotes_runtime PHP setting...
>
>
> On Monday 16 May 2005 10:32, Petzo wrote:
> > Hi,
> >
> > My question is about the norlmal behaviour of PHP and MYSQL but I
cant
> > explain it without a simple example. Thank you for reading:
> >
> > I have the following code:
> > --------------------------------------------------------------------
> > <?php
> > print $t = $_POST['txt'];
> > print $t = addslashes($t);
> >
> > @ $db = mysql_pconnect(xxx,xxx,xxx);
> > mysql_select_db('test');
> >
> > $q = "update ttable set ffield='$t'";
> > mysql_query($q);
> >
> > $q = "select * from ttable";
> > $result = mysql_query($q);
> > $bo = mysql_fetch_array($result);
> >
> > print $t = $bo['ffield'];
> > print $t = stripslashes($t);
> > ?>
> > --------------------------------------------------------------------
> >
> >
> > from a HTML form I send variable:
> > --------------------------------------------------------------------
> > ' \ \' \\ \\\
> > --------------------------------------------------------------------
> >
> > after addshashes it becomes:
> > --------------------------------------------------------------------
> > \' \\ \\\' \\\\ \\\\\\
> > --------------------------------------------------------------------
> >
> > after that it gets in the database
> >
> > but after I get it out it becomes:
> > --------------------------------------------------------------------
> > ' \ \' \\ \\\
> > --------------------------------------------------------------------
> > (without the backslashes!)
> >
> > and ofcourse after stripslashes it gets messed-up:
> > --------------------------------------------------------------------
> > ' ' \ \
> > --------------------------------------------------------------------
> >
> > So my question is if this is a normal behaviour for PHP+MYSQL or it may
> > vary indifferent conficurations or versions of both php or mysql.
> > It's not a bad thing to be like that but I wonder if my code will behave
> > the same at most systems.
> >
> > Thank you very much
>
> --
> Best regards,
>
> Bostjan Skufca
> system administrator
>
> Domenca d.o.o.
> Phone: +386 4 5835444
> Fax: +386 4 5831999
> http://www.domenca.com

[Back to original message]