#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    Jackson, TN, USA
    Posts
    18
    Rep Power
    0
    I am using the phpMyAdmin as a database administrator, however, I need to allow users (not familiar with mySQL or HTML) to be able to manipulate the database in a limited way - no deleting tables or databases and no setting up tables or databases. While I like the phpMyAdmin it is too complicated with these end users and too dangerous. Therefore I have set up my own administrator that works pretty well for adding, editing and deleting records from already created tables.

    My problem is quotes, phpMyAdmin handles them perfectly so that there is no extra coding in the output to handle them, however I can't figure it out and I always get slashes in the database that output to html pages. I know I can stripslashes, but phpMyAdmin accounts for it somehow and I don't have to do this for records input using that script. Does anyone know how to handle this totally from the administration side?
  2. #2
  3. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4492
    You have to have the slashes in order to put it into the database, otherwise you'll get errors. Adding the slashes is usually done automatically, if magic_quotes is on. So you basically have to run stripslashes on the text you pull out of the databases. I'm sure PHPMyAdmin does this, too, it's just behind the scenes.

    ---John Holmes...
  4. #3
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4492
    I'm not sure how PHPMyAdmin sets up permissions for database users. If you read up on the GRANT command for MySQL, though, you'll learn how to do it yourself.

    It is possible to create a database, put a few tables in it, then create users who only have access to that one database. You can decide whether to give them create access, so they can/cannot create other tables. You also decide whether the get select,insert,update,and delete commands for each of the tables. All of this is covered in the Mysql manual. I think you can go all the way down to where they can only manipulate one specific column of a table...

    ---John Holmes...
  6. #4
  7. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    In php.ini when magic_quotes_gpc is on, then all data passed TO the database is automatically escaped with the backslash. When magic_quotes_runtime is on, then data OUTPUT from a database to web pages is automatically unescaped (slashes are stripped). PHP generally installs with magic_quotes_gpc on but magic_quotes_runtime off, so if you edit php.ini and turn that on, your problems will most likely go away.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    Jackson, TN, USA
    Posts
    18
    Rep Power
    0
    Thanks for the reply. I don't know how phpMyAdmin is handling the slash problem, but when I add records using that adminstration program, I don't have to stripslashes when calling it back out. When I add using my program I dohave to stripslashes, so there is something that they are doing that is compensating for the that. I have requested a reply from the programmer, but I may never hear from that. I'll just keep on looking and in the meantime stripslashes when I call the info from the database.

    As far as turning on or off magic quotes, I don't have control of that, so I will just have to improvise.

    Thanks,
    Mike
  10. #6
  11. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    thane
    Posts
    50
    Rep Power
    0
    PHP should be configured to have magic_quotes=on. In the module
    version of PHP this can also be set on a per-directory base with php3_magic_quotes_gpc on in an .htaccess file or in your Apache's access.conf.
    -----------------taken from the INSTALL file from phpmyadmin
  12. #7
  13. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    rycamor,

    The information you have given is incorrect. magic_quotes_runtime DOES NOT remove escaping backslashes. From the php manual:

    magic_quotes_gpc boolean
    Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

    magic_quotes_runtime boolean
    If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

    Furthermore, it is NEVER necessary to remove escaping backslashes from data returned from a database IF the data was PROPERLY escaped when inserted AND IF magic_quotes_runtime is OFF. From the mysql manual:

    There are several ways to include quotes within a string:

    A `'' inside a string quoted with `'' may be written as `'''.
    A `"' inside a string quoted with `"' may be written as `""'.
    You can precede the quote character with an escape character (`').
    A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.
    The SELECT statements shown below demonstrate how quoting and escaping work:

    mysql> SELECT 'hello', '"hello"', '""hello""', 'hel''lo', ''hello';
    +-------+---------+-----------+--------+--------+
    | hello | "hello" | ""hello"" | hel'lo | 'hello |
    +-------+---------+-----------+--------+--------+

    mysql> SELECT "hello", "'hello'", "''hello''", "hel""lo", ""hello";
    +-------+---------+-----------+--------+--------+
    | hello | 'hello' | ''hello'' | hel"lo | "hello |
    +-------+---------+-----------+--------+--------+

    mysql> SELECT "ThisnIsnFournlines";
    +--------------------+
    | This
    Is
    Four
    lines |
    +--------------------+

    Moliver,

    To answer your question: There may be 2 or 3 things wrong here:

    1) The strings are being double escaped. This can be caused by using addslashes() when magic_quotes_gpc is on, or by passing the data twice via GPC when magic_quotes_gpc is ON.

    2) magic_quotes_runtime is on.

    3) The data is read from the database and then passed to another script via GPC before being accessed and magic_quotes_gpc is on.

    Answers to the various scenarios:

    1) both unlikely, but if the data is sent using GPC more than once you'll need to use stripslashes() at some point to remove one set of escaping backslashes. If you are using addslashes(), stop, as magic_quotes_gpc is already escaping.

    2) Most likely. You can use set_magic_quotes_runtime=0 at the top of each php page where you are selecting from the database. This will stop the magic_quotes_runtime directive from escaping data read from the db.

    This directive is useful only in rare cases (transfering data from db to db or text file to db, etc) and should be OFF in most configurations, but, unfortunately, many administrators don't really know what they are doing and turn it on.

    3) (Unlikely) You'll have to use stripslashes after passing the data.

    HTH.

    Rodney Kreisler
  14. #8
  15. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Ooops! The proper use is:
    set_magic_quotes_runtime(0);
    not =0

    I failed to mention... you can use get_magic_quotes_gpc() and get_magic_quotes_runtime() to check their on/off status.

    Note: there is no set_magic_quotes_gpc() function.
  16. #9
  17. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    Ya got me there :}

    Yes, it's the other way around, and yes, magic_quotes_runtime was probably turned on, and since phpMyAdmin specifies addslashes() and stripslashes() for every function, this overrides any magic_quotes settings, so phpMyAdmin did not have that problem.
  18. #10
  19. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    Jackson, TN, USA
    Posts
    18
    Rep Power
    0
    Many, many thanks to all the responses, but I still don't know the solution to my problem. When entering records with phpMyAdmin, I do not have to stripslashes when calling it in web page. How are they accomplishing this?
  20. #11
  21. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    If you are getting extra backslashes in the fields in the database you are double escaping, which means:

    a) You have magic_quotes_gpc on AND are using addslashes. SOLUTION: don't use addslashes()

    b) You have magic_quotes_gpc on AND are passing the data via GPC more than once. Solution: don't pass them more than once or use stripslashes() to remove the extra set BEFORE inserting.

    If, OTOH, you are not getting extra backslashes in the fields of the db, but see them when the records are selected in PHP, then you have magic_quotes_runtime on and need to turn it off before selecting with set_magic_quotes_runtime(0)

    This is exactly what I wrote before... I don't know how to make it any plainer than that.
  22. #12
  23. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    Jackson, TN, USA
    Posts
    18
    Rep Power
    0
    I really appreciate all the help, I have figured out what I need to do and all is well. I guess I was asking for more than was possible. I will simply strip the slashes when calling it via php. I can make everything else work properly around that.

    Thanks again,
    Mike

Similar Threads

  1. T_String Query
    By KingSwing in forum PHP Development
    Replies: 15
    Last Post: October 11th, 2003, 03:11 AM
  2. changing double quotes to single quotes..
    By muisje in forum PHP Development
    Replies: 1
    Last Post: September 15th, 2003, 04:37 AM
  3. Replies: 11
    Last Post: September 4th, 2003, 07:06 PM
  4. Passing a string that has quotes in it.
    By zewt in forum PHP Development
    Replies: 3
    Last Post: July 19th, 2002, 10:47 PM
  5. Help storing uploaded files in DB with magic quotes!
    By MaRaNzA in forum PHP Development
    Replies: 0
    Last Post: August 19th, 2001, 04:20 PM

IMN logo majestic logo threadwatch logo seochat tools logo