Professional Web Applications Themes

escaping, stripslashes and magic quotes! - PHP Development

Hi All, Can anybody point me to a FAQ or similar that describes what all this stuff is about please?. I'm interfacing with a MySQL database if that's relavent. I've read a couple of books which refer to stripslahes and 'escaping' but nothing really explains what these terms are and why these are used. Why is 'escaping' (whatever that is) used?. What the hell is a magic quote?. How is it different from a non-magic one?. Regards, Dave...

Sponsored Links
  1. #1

    Default escaping, stripslashes and magic quotes!

    Hi All,
    Can anybody point me to a FAQ or similar that describes what all this
    stuff is about please?. I'm interfacing with a MySQL database if that's
    relavent. I've read a couple of books which refer to stripslahes and
    'escaping' but nothing really explains what these terms are and why these
    are used. Why is 'escaping' (whatever that is) used?. What the hell is a
    magic quote?. How is it different from a non-magic one?.

    Regards,
    Dave


    Sponsored Links
    Dave Guest

  2. #2

    Default Re: escaping, stripslashes and magic quotes!

    "Dave Moore" <freeserve.co.uk> kirjoitti
    viestissä:d7aaq1$ggu$svr.pol.co.uk... 


    Imagine you have a database where you insert names. You use a SQL query:
    INSERT INTO names VALUES('John Doe')

    Here the name John Doe is isolated with pair of '' quotes. That's how MySQL
    knows where the name begins and where it ends.

    Now an italian guy comes with a name like Giovanni D'Angelo. Look what
    happens:
    INSERT INTO names VALUES('Giovanni D'Angelo')

    Here MySQL sees a string Giovanni D and some crap after that, since it
    interprets the first occurance of ' as the end of the string. This is:
    unless it is ESCAPED. Escaping means we tell MySQL that the particular ' is
    in fact a part of the string and not the ending quote:

    INSERT INTO names VALUES('Giovanni D\'Angelo')

    the ' in D'Angelo is escaped with backslash: \' . Now MySQL bypasses it
    thanks to the escaping and sees the string as "Giovanni D'Angelo" and works
    correctly.

    Magic Quotes is a mechanism of PHP that automatically escapes all user
    inputs. So that when D'Angelo typed his name and submitted the form, it
    comes to PHP already escaped, as "Giovanni D\'Angelo" and you don't have to
    worry about it. If the magic qoutes are turned off, you need to do the
    escaping by yourself for each input you want. And addslashes does just this.

    --
    "I am pro death penalty. That way people learn
    their lesson for the next time." -- Britney Spears

    com


    Kimmo Guest

  3. #3

    Default Re: escaping, stripslashes and magic quotes!

    Dave Moore said the following on 28/05/2005 18:44: 

    Imagine you're putting some data into a MySQL database. You might do
    something like:

    mysql_query("INSERT INTO table (name) VALUES ('$name')");

    where $name is a string.
    If $name was "John", the query string would become:

    INSERT INTO table (name) VALUES ('John')

    No problem there. But if $name was "Hell's Bells", then the string becomes:

    INSERT INTO table (name) VALUES ('Hell's Bells')

    Now, there's a mismatch in the number of single quotes, and this will
    cause a MySQL error.

    To get around this, one indicates a single-quote *within* a value string
    using \' i.e backslash, single-quote. This is called "escaping" (one
    escapes from the syntax processing that would normally occur).

    All strings must be "escaped" before being put into an SQL query using
    mysql_real_escape_string(), which does the conversion above (as well as
    a few others). So your command would be:

    mysql_query("INSERT INTO table (name) VALUES ('"
    . mysql_real_escape_string($name) . "')");


    Magic Quotes is something that seemed like a good idea back in the
    earlier days of PHP. Basically, when Magic Quotes is turned on, all GET,
    POST and COOKIE variables are automatically escaped ready for use in a
    database query. This is to save lazy people time, so that they don't
    have to call mysql_real_escape_string() each time.

    However, they *will* have to call stripslashes() (which removes the
    escaping from the string) whenever they want to use the string in a
    normal context. So it's actually just a pain. If you have control of
    your PHP configuration, turn magic-quotes off.

    If not, you'll have to do something like at the top of your scripts:

    if (get_magic_quotes_gpc())
    {
    foreach ($_GET as $key=>$value)
    {
    $_GET["key"] = stripslashes($value);
    }
    }


    P.S. The best place to start on reading about anything PHP-related is
    the online manual: http://www.php.net/manual.

    --
    Oli
    Oli Guest

  4. #4

    Default Re: escaping, stripslashes and magic quotes!

    Read this:

    http://php.net/manual/en/security.magicquotes.php

    Philip Guest

  5. #5

    Default Re: escaping, stripslashes and magic quotes!

    Read this:
    http://php.net/manual/en/security.magicquotes.php

    Philip Guest

Similar Threads

  1. Bug: Escaping of single-quotes in cfQuery !
    By Stefan K. in forum Coldfusion - Advanced Techniques
    Replies: 1
    Last Post: April 11th, 04:42 PM
  2. Escaping nasty quotes
    By Roy W in forum PHP Development
    Replies: 5
    Last Post: August 1st, 10:06 AM
  3. [PHP] Escaping nasty quotes
    By Jay Blanchard in forum PHP Development
    Replies: 2
    Last Post: July 31st, 06:57 PM
  4. Escaping single quotes
    By in forum PHP Development
    Replies: 0
    Last Post: July 30th, 11:28 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139