phpmyadmin not slashed :S

tornup

hi there..

i have a form that POST's to a post.php.... on post.php it does this:

function safeinput($formvalue)
{
    $formvalue = trim($formvalue);
    $formvalue = strip_tags($formvalue);
    $formvalue = htmlspecialchars($formvalue);

return $formvalue;
}


$name = safeinput($name);
$location = safeinput($location);
$message = safeinput($message);


echo $name;
echo $location;
echo $message;

now if i type into the input on the form page(that posts to post.php):

my name's Tom!

and i view it on the echo out, it will read "my name\'s tom"

what is what i want it todo...

but, if i take away the echo's and put in:

$insertquery = "INSERT INTO `messages` (`id` ,`name` ,`location` ,`date` ,`time` ,`message`) VALUES ( NULL , '$name', '$location', '$date', '$time', '$message')";
mysql_query($insertquery);

it inputs it into the database ok! but when viewed on PHPmyadmin, there is nolonger any slash's, and the string will appear as "my name's Tom!" during table browsing!

and if i output it to a page from the database, there still is no slashs!(and no, iv not used stripslash() )

iv turned magic quotes on, and it is working(because the echo's get slashed) so something is happening after/during there INSERT query.

can anyone shed some light on this for me?

PS. hello everyone! nothing like jumping straight in on my first post! lol😃

can anyone help? im puzzled!

laserlight

It is expected that the data, as stored in the database, will not be in escaped form.

As an analogy, consider this PHP code snippet:

<?php
echo "\"tornup\" is on PHP Builder";
?>

Would you expect it to print:

\"tornup\" is on PHP Builder

Or would you expect it to print:

"tornup" is on PHP Builder

Oh, and turn magic_quotes_gpc off and use the appropriate escaping functionality instead, e.g., prepared statements or mysql_real_escape_string().

tornup

laserlight;10884478 wrote:
It is expected that the data, as stored in the database, will not be in escaped form.

As an analogy, consider this PHP code snippet:
<?php
echo "\"tornup\" is on PHP Builder";
?>
Would you expect it to print:
\"tornup\" is on PHP Builder
Or would you expect it to print:
"tornup" is on PHP Builder
?

Oh, and turn magic_quotes_gpc off and use the appropriate escaping functionality instead, e.g., prepared statements or mysql_real_escape_string().

i would expect it to print:

"tornup" is on PHP Builder

im sorry, but i still don't understand(iv been working with php for about a week!)

also. how would i go about turning off magic_quotes? is there a way of doing this via Cpanel on my host? or even better, can i do it via PHP?

thank you for your time. i know how much n00b's are anoying!

laserlight

i would expect it to print:

Yes, that is what will happen. Notice that the \" in the PHP string has been replaced by " after being processed. The same thing happens with \' when the SQL statement string is passed to the database: it is replaced with ' after processing.

how would i go about turning off magic_quotes? is there a way of doing this via Cpanel on my host? or even better, can i do it via PHP?

You may be able to edit your php.ini file via Cpanel. You can also change the setting in the PHP script itself, but the problem is that by the time control enters the PHP script, the magic_quote_gpc setting has already been put into effect, so changing the setting is useless.

bpat1434

tornup, when a character is escaped in SQL, it just means "I want to show this literal character". So instead of seeing the escape character (in PHP's case, it's a backslash) before the "special" character, you see just the normal character. This is the expected behavior.

As for magic_quotes_gpc you really don't need them. You could sanitize your strings (as I see you are) on your own. So if you turn off magic_quotes_gpc then you don't need stripslashes (or its counterpart, addslashes). The way to properly escape a string for SQL is to use [man]mysql_real_escape_string/man for mySQL or [man]pg_escape_string/man for postgre and the equivalent functions for other RDBMS.

As for turning things on or off in PHP, that's done via php.ini. Usually if you're on a shared server, you have no control over this. You could ask you host to do it for you, or you could try adding things to the top of your script that do this. If it's allowed (once again, the host has control) then you could use [man]ini_set/man to enable or disable or change specific things for a script at runtime. This has no effect anywhere else on the server, just for your script. So to disable magic_quotes, you could do:

ini_set('magic_quotes_gpc', 0);
ini_set('magic_quotes_runtime', 0);

But do note that it's not guaranteed to work. Some hosts don't allow this.

tornup

so, let me get this right?

if it has been slashed, and gone into mysql ok(even though the slash has now been removed) is it now ok to output like that (any SQL injection threat has been minimised now that its been slashed on insertion).

or will it cause issues when being output, and therefore do somthing with the post.php to make sure that it is still slashed after being inserted. and then stripslash() it when it gets displayed?

thanks for your help!!

bpat1434

Once it's inserted, you can consider it clean. There is a caveat though. If you're storing php code that the user submitted, then you have to make sure the code they submit isn't actually doing something harmful (like deleting your entire site, doing an infinite loop, etc.).

Once data goes into mySQL, you can consider it "safe" for display purposes.

laserlight

if it has been slashed, and gone into mysql ok(even though the slash has now been removed) is it now ok to output like that (any SQL injection threat has been minimised now that its been slashed on insertion).

Ah, yes and no. Yes, in the sense that there is no more SQL injection threat. No, in the sense that there may still be a malicious client side scripting threat. htmlspecialchars() or strip_tags() can be used to avoid this (but it does not make sense to use both), as you have done in your example. If you are embedding the value into a URL query string, then urlencode() would be the function to use. Refer to the PHP manual FAQ on PHP and HTML.

tornup

ah right, so my code is ok, all iv got todo now, is turn magic quotes OFF, and recode it so it uses mysql_real_escape_string()!

i will read up on that now!

thank you all for your quick and detailed replys! i will highly likly be coming back for plenty more N00b issues(due to the fact, i prefer to learn with ADVANCED projects, instead of bloody "hello world!")

Tom 😃