#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2

    Does anyone know how to solve this problem??


    Hi there. I'm creating this comment posting system in PHP and MySQL.
    I use quote_smart() to kill the " " " or " ' " in posted comment before storing it into DB.
    But It seems like "\" is also outputted as HTML when I see the posted comment.
    Actually, by the time the comment is visible on user's side, the string after the "\"
    is gone with extra "\" added to the first "\"...


    Let's say, I wanted to post some comment like "It's awesome!!"
    Then the output would change on each of confirmation page,
    thank you page and the page that shows actual posted comments like this:



    form page ------------------------- Filling up form
    |
    Confirmation page ---------------- "It\'s awesome"
    |
    Thank you page ------------------ "It\ "
    |
    Page to reflect the message. ------ "It\\"


    You know what my problem is??

    Basically, I don't want the quote_smart() to mess up user input going through the php code.

    Does anyone have any idea of what is causing this problem?
    How can I get rid of it while maintaining security for SQL injections??


    Thank you.
  2. #2
  3. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    Easy

    Don't use quote_smart, don't do anything with your quotes

    Instead use prepared statements with PDO (see the link in my sig for a migration guide from mysql_* functions to PDO).

    This way, the database will sort it out for you
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  4. #3
  5. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,614
    Rep Power
    1945
    Sounds like it run the protection twice.
    May magic quotes are on? You can validate that by looking at return value from [phpnet=get_magic_quotes_gpc]get_magic_quotes_gpc[/phpnet] (hopefully it does return 0)
    What version of PHP do you use?

    How does the data looks like in the database? any \ in the text there too?
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,868
    Rep Power
    6351
    We talked about your use of magic_quotes and quote-escaping functions nine months ago. It's time to bite the bullet and excise all magical quoting and escaping functions from your code for good. No magic quotes, no quote_smart, nothing like that. PDO prepared statements and that's all.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    i know long time no see.

    ya i tried to learn prepaired statement but my book doesn't go over that stuff so I basically gave up on it for now and instead kept using quote_smart, when I had to deal with security issues.

    I will look into prepare statement.

    Thank you.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    60
    Rep Power
    2
    well apperently I should just use the prepared statement..

    Thanks!
  12. #7
  13. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    Prepared statements have been around a long time, and available in PHP for many years now. If your book doesn't cover them then ditch your book.

    Reading forums like this one will help you maintain an understanding of what is current, and what is good practice. Take the concepts we give you and read up on them (books, web, private tutorials, etc)
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]

IMN logo majestic logo threadwatch logo seochat tools logo