• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2242
  • Last Modified:

PHP MySQL apostraphes and quotes problems

Hi,
I have two possibly related problems ,

1. I am having problems when displaying data with PHP from my mysql database, which includes apostraphes and or double quotes.
Interting a sentence using apostrapies or doulbe quotes is fine but them when i try and display the sentence everything including and after the apostraphe Is cut off. How to resolve this issue

2. In another commets field on my form, i have tried to clean the data before entering into the databse the  but then in the databse the apostraphes are preceded by \\\(three slashes). below is the function i am using before updating into the database.

function clean($input) {
   $input = trim($input);  
   $input = htmlspecialchars($input);
   $input = mysql_escape_string($input);
   $input = EscapeShellCmd($input);
   return $input;  
}

In my PHP.ini File I currently have;

magic_quotes_gpc = On
magic_quotes_runtime = Off

I dont want to turm off the magic_quotes_gpc OFF as then i would have to check all the data everytime as I have a lot of database INSERT, UPDATE and SELECT statments all over my code. What is the usual easiest solution to solve all these character problems. ?
0
mahmedx
Asked:
mahmedx
  • 8
  • 4
  • 3
2 Solutions
 
RoonaanCommented:
I think you shouldn't confuse "cleaning" with "escaping".

For your queries you should clean first, then escape when building the query. EscapeShellCmd en mysql_escape_string should therefor not be in your clean() function, and only used for their specific targets (mysql_query/exec/shellcmd).

The magic_quotes_gpc setting could be disabled and then have the following function in your commons.inc or global.inc or functions.inc. It filters the quotes from post/get:

<?php
/*
* Common used snippet to cancel out magic quotes
* http://php.net/manual/en/function.get-magic-quotes-gpc.php#52090
*
*/

function stripslashes_deep($value)
{
return (is_array($value)
? array_map('stripslashes_deep', $value)
: stripslashes($value)
);
}

if (get_magic_quotes_gpc()) {
$_GET = array_map('stripslashes_deep', $_GET);
$_POST = array_map('stripslashes_deep', $_POST);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
?>
Kind regards

-r-
0
 
Cornelia YoderArtistCommented:
Replace

   $input = htmlspecialchars($input);

with

   $input = htmlentities($input, ENT_QUOTES);
0
 
mahmedxAuthor Commented:
roonan,

so what exactly is stripslashes_deep function doing, does it automatically allways take slahes out of get, post and cookie requests. what do you mean by clean first then escape in qurery. Is that two more functions in addition to  stripslashes_deep.

0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
mahmedxAuthor Commented:
yodercm,

would that mean that i would then have to convert back when displaying the data, or would it have no effect on the data entering the database?
0
 
RoonaanCommented:
Stripslashes_deep is a recursive strip_slashes.

By clean first, escape in query I mean that the cleaning of your input is separated from escaping your data for output or database interaction. You therefor should not have a single function doing both, because cleaning and escaping both have their own usage.

-r-
0
 
mahmedxAuthor Commented:
roonan

could you give me an example cleaning funtion and exapmle escaping function.

will i need to escape every single field database value with the ecapeing funtion?
0
 
RoonaanCommented:
mahmedx,

The clearing as well as the escaping depend on the source and target.

For clearing you could use preg_replace/str_replace. For escaping you could use mysql_real_escape_string/pg_escape_string/htmlentities/htmlspecialchars/etc

Roonaan
0
 
mahmedxAuthor Commented:
what i am doing is essntially like a forum where users can edit the posts they have submitted as well as post new ones . what would your cleaning involve and what would your escaping involve? would you use the function stripslashes_deep in adtion to cleaning and escaping? if i can prevent so many slashes from being inserted into the databse in the first place maybe i dont need to use stripslashes_deep. Also what about my first query about when everything after the apostraphe or quote is not displayed?
0
 
Cornelia YoderArtistCommented:
mahmedx, it means that the text is stored in your database with all special characters converted to their html & code equivalents.  This can then be retrieved and will then display or print perfectly normally, including quotes and apostrophes.

http://www.ascii.cl/htmlcodes.htm

http://us2.php.net/manual/en/function.htmlentities.php
0
 
mahmedxAuthor Commented:
yodercm,
sounds good, so does that mean i will not have to do any other cleaning or escaping if i use $input = htmlentities($input, ENT_QUOTES); for every form fileld before i enter it into my database.

0
 
Cornelia YoderArtistCommented:
Yes.  htmlentities() makes all special characters into safe code.  I use this myself in preference to mysql_real_escape_string, because it protects against even more malicious stuff.

The disadvantage is that it takes a little more space in your database, because instead of storing ", you are storing &#34, which is 4 bytes instead of 1.

When you are allowing users to enter text, there is no way to check it against a whitelist, so htmlentities is the next best thing -- eliminate ALL special characters.
0
 
mahmedxAuthor Commented:
yodercm
shurely this would cause probelms with database searches though wouldnt it?
0
 
mahmedxAuthor Commented:
as if the user types in a search sring it wouldnt match wahts in the database
0
 
mahmedxAuthor Commented:
ok still confused, with all these options, anyone know of a good article or some example application which shows a good practice way of ahndling this type of data
0
 
Cornelia YoderArtistCommented:
If you use htmlentities() on the search string the same as on the stored data, it works perfectly.  And of course you should do this, because a search string is just as susceptible to maliciousness as the original stored string.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 8
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now