php - need to call mysql_real_escape_string() twice -


i have user-input data put mysql database (version 5.5.8 according phpmyadmin) - find mysql_real_escape_string() in example below must called twice or no backslashes added user input text such "she's great boat isn't she"

the problem occurs when try write type of "text string containing quotes" database -- user input string written database no backslashes -- unless call mysql_real_escape_string() twice.

i use phpmyadmin view newly-written database record, , user's text-string-with-quotes has no escaping on quotes (no backslashes). if read text string out of database, quotes not escaped, ie. don't have call stripslashes() reverse use of mysql_real_escape_string().

the code below. when call get_magic_quotes_gpc() shows disabled.

my expectation this: if user inputs text string "she's great boat isn't she" -- , call mysql_real_escape_string() one time on user input text, , write database, one call mysql_real_escape_string() create text string looks this:

\"she\'s great boat isn\'t she\"

but text written database (see below) shows no escaping, original user-input text unescaped quotes.

this php code writes user text string database:

// theusersinputtext contains "she's great boat isn't she" $thetext = $_post['theusersinputtext'];  $thedb = connecttodb();    // reports magic quotes disabled if(get_magic_quotes_gpc()) echo "magic quotes enabled"; else echo "magic quotes disabled";    $theescapedtext =  mysql_real_escape_string($thetext); $newinsertquery = "insert " . "mydatabasetable"          . " values "         . "('" . $theescapedtext . "')";

when use phpmyadmin @ database, no slashes in text string. , when retrieve string database -- looks this: "she's great boat isn't she"

it makes me think i'm open injection attack then.

so modified code above adding second call mysql_real_escape_string, , when @ database, text string looks this:

\"she\'s great boat isn\'t she\"

here's modified code:

$thetext = $_post['theusersinputtext'];    // new line of code here $thestrangelyunescapedtext =  mysql_real_escape_string($thetext);      $thedb = connecttodb();    // reports magic quotes disabled if(get_magic_quotes_gpc()) showalertbox("magic quotes enabled"); else showalertbox("magic quotes disabled");     $thefinallyescapedtext =  mysql_real_escape_string($thestrangelyunescapedtext); $newinsertquery = "insert " . "mydatabasetable"          . " values "         . "('" . $thefinallyescapedtext . . "')";

after above, in phpmyadmin, when @ just-written database record, text looks like:

\"she\'s great boat isn\'t she\"

why have call mysql_real_escape_string() twice here?

written in way

$theescapedtext =  mysql_real_escape_string($thetext); $newinsertquery = "insert `mydatabasetable`  values ('$theescapedtext')";

i query output

insert `mydatabasetable` values ('\"she\'s great boat isn\'t she\"')

the slashes make query syntactically correct , try avoid sql injection, in db query stored original text

"she's great boat isn't she"

as side note: mysql_* extension deprecated of php 5.5.0, , removed in future. instead, mysqli or pdo_mysql extension should used.

a useful link why shouldn't use mysql_* functions in php


Comments

Post a Comment

Popular posts from this blog

image - ClassNotFoundException when add a prebuilt apk into system.img in android -

i'm in trouble add prebuilt apk system.img based taiwan mtk android phone platform, when push apk onto device,after reboot phone,the apk can installed succecessfully,but if add apk alps/out/target/product/$prj/system/app or vendor/mediatek/$prj/artifacts/out/target/product/$prj/system/app ,and produce system.img,the apk can't installed normally,the logcat say: a.lang.runtimeexception: unable instantiate activity componentinfo{com.sec.android.widgetapp.ap.hero.accuweather.widget/com.sec.android.widgetapp.ap.hero.accuweather.widget.weatherclock}: java.lang.classnotfoundexception: com.sec.android.widgetapp.ap.hero.accuweather.widget.weatherclock. can tell me what's problem ? when package manager installs apps part of system partition different installing apps on data partition. looks app using libraries somewhere else. when install on data lib directory created in apps data directory , symlinked /data/app-lib/. when apps installed on system it's expecte...
Read more

I need to import mysql 5.1 to 5.5? -

i have mysql 5.1 database , need import localhost running 5.5. how import 5.5 or downgrade mysql? install phpmyadmin 5.1 os: http://www.wikihow.com/install-phpmyadmin-on-your-windows-pc or https://www.digitalocean.com/community/articles/how-to-install-and-secure-phpmyadmin-on-ubuntu-12-04 then login, click on database, hit export, , export in sql format (quick fine). import .sql file 5.5 server (after installing phpmyadmin) logging in clicking database , hit import. hope helps!
Read more

Java, Hibernate, MySQL - store UTC date-time -

i saw here on few related questions (like this one , of course, this one )... essentially, want store date-time utc, , let application user choose time zone wants display date-time in. since seems date-time fields affected underlying jdbc driver, wonder if acceptable way go storing utc date-time: set both mysql , application server machine utc time zone (no need separate) both mysql , jvm should pick underlying system time settings (if not instructed otherwise) use datetime table columns on mysql side use java.util.date corresponding mapping on hibernate side (i guess java.sql.timestamp used too) let application worry interpreting date-time fields - i.e. let user choose preferred time zone is ok? edit clarify - here meant refer timestamps created strictly on server (e.g.date-time of record creation). application server instantiates date objects (new date() equals current date-time on server, , time zone agnostic). if client user wants supply date searching/filte...
Read more