addslashes problem

adavis

I have this sql statement which I need to pass from a form to a processing page:

$sql =
"SELECT * FROM tbl 
WHERE Status LIKE '%cancel%' 
AND group IN ('AA', 'BB') 
ORDER BY Status, EmpLast, EmpFirst";

I run it through the addslashes:

$sqlAdd = addslashes($sql);

before I pass it. Then strip the slashes on the other side

$sqlStrip = stripslashes($_GET['sql']);

But I wasn't getting any results returned even though I knew I should be. I echoed that sql statement in the process form and this is what it because after stripping the slashes:

SELECT * FROM tbl 
WHERE Status LIKE 'Encel%' 
AND directorate IN ('AA', 'BB')
ORDER BY Status, EmpLast, EmpFirst

Why '%cancel%' being changed to 'Encel%' and what do I do to make it not happen anymore?

youdrovemetoit

if you putting it through using get, try rawurlencode() and rawurldecode()

adavis

Instead of the addslashes and stipslashes???

adavis

I haven't tried it yet after reading php.net, I'm not sure this will accomplish what I want. My main purpose for doing this is to change the exit the single quotes,

changing all " ' " to " \' " and back again.

Will rawurlencode() and rawurldecode() do that?

youdrovemetoit

it will change it into a string that can be passed into files using GET.. if you are just changing ' to \' then back again, it will do the same thing

adavis

I'm going to try this and see if it works:

$sqlAdd = rawurlencode(addslashes($sql));

and

$sqlStrip = rawurldecode(stripslashes($_GET['sql']));

adavis

If I do both the add/stip slashes AND the rawurlencode/rawurldecode, then I get the same results as before.

If I just do the rawurlencode/rawurldecode, I get a JavaScript error and at the bottom of the browser window, the URL shows up without escaping the quotes. This is in IE. I haven't tried it NS, but have to test in both. Here's the URL I'm using:

<a href="javascript:void(window.open('printReport.php
?sql=<?=$sqlStrip?>
&report=<?=$reportName?>
&org=<?=$orgprint?>
&range=<?=$reportdaterange?>
&cols=<?=$cols?>','',
'top=3,left=3,width=700,height=600,
scrollbar=yes,menubar=no,resizeable=yes'));">
Print Report</a>

(line breaks added for easier readibility, not that way in code)

Maybe there's an error in my javascript or I need to do this in a form instead.

youdrovemetoit

ok, you cant have any quotes withing javascript, what you need to do is pass the $sqlAdd instead of $sqlStrip into printReport.php and then decode it in the printReport.php