Backslashes + SQL Server

obrienkev

Hi all,

How do I enter the file path correctly into a MS SQL Server Database??

e.g. c:\myfolder\myfile appears as c:\\myfolder\\myfile when called from Database into ph page.

Thanks.

sid

seems like yet another add/stripslashes() issue? how do you enter the data into the ms sql db?

obrienkev

I have a form set up that allows user to enter details about certain documents and they want to be able to state where the file is located.

thanks.

tomhath

Can you just translate any backslashes to forward slashes? Windows usually doesn't care except in a Command tool.

MarkR

The problem is that some magic quotes are enabled. Magic quotes (all types) are bad and should always be disabled.

MSSQL doesn't use backslash to escape strings anyway. So magic quotes are even less useful than they would be anyway (if that were even possible!).

Strings going into the database should either be escaped appropriately (Which does not mean addslashes) OR, for preference, passed as a parameter to a parameterised query.

Generally speaking, if you're using addslashes or stripslashes, you're doing something wrong as neither function is useful under any circumstances.

Likewise, magic quotes are never helpful, turn them all off permanently. I put checks in all my applications to ensure that magic quotes are off (and crash out of they are on) to ensure that they don't cause data corruption (the kind you're describing).

Mark

obrienkev

Thanks Mark. But to turn off Magic Quotes now would affect a lot of internal sites.

So any quick solution to this issue?

MarkR

Yes, you should rewrite all your code to operate correctly with magic quotes off (magic quotes are probably causing problems elsewhere, but you haven't noticed them yet). Then you can disable magic quotes entirely and check at runtime that they remain disabled.

Mark

obrienkev

Hey Mark. I honestly don't have time at the moment to rewrite all the code.

Any use of addslashes() for escaping characters as in post 1?

Thanks.

MarkR

magic quotes are like a sickness that infects your application, gradually corrupting your data by adding backslashes in places they aren't required.

There is no reasonable way which data integrity of any kind can be maintained while magic quotes are enabled (especially magic_quotes_runtime). Your data are going to get screwed.

The correct way of escaping strings in MSSQL is not addslashes(), however, this is not your problem.

You MUST turn magic_quotes off.

Some people try to fix the problem with various loops containing stripslashes() to try to "repair" the damage done by magic_quotes_gpc, but these implementations are usually incorrect.

Mark

Reg126

obrienkev;10776137 wrote:
Hey Mark. I honestly don't have time at the moment to rewrite all the code.

Any use of addslashes() for escaping characters as in post 1?

Thanks.

I see you're struggling to get an answer. Well, you've probably found a solutions already, but since it's being insisted that you play around with magic quotes and rewrite your entire code, I'll answer the question you're actually asking.

In my code I've got the file path in a variable. I simple run this code (V😎

selectedFile = Replace(selectedFile, "\", "/")

and it replaces all backslashes to forward slashes. In windows, paths can be either / or \ and it allows the db to store it if it's the forward slash.

bradgrafelman

Reg126;10951776 wrote:
Well, you've probably found a solutions already

I would hope so, since this thread is over 3 years old. :p

Reg126;10951776 wrote:
since it's being insisted that you play around with magic quotes and rewrite your entire code

Seems like the only logical solution, since magic_quotes_gpc is highly deprecated and even removed in future versions of PHP... not to mention the other handful of reasons that the PHP manual lists ([man]security.magicquotes[/man]).

Reg126;10951776 wrote:
I simple run this code (V😎

selectedFile = Replace(selectedFile, "\", "/")

You run VB code from within PHP? Seems like a lot more complicated that simply writing proper PHP code.

Reg126;10951776 wrote:
it allows the db to store it if it's the forward slash.

MS SQL server has no problem inserting backslashes in the first place, so I don't see why it'd be necessary to alter the path separator anyway.