September 14th, 2000, 10:59 AM
I am using the phpMyAdmin as a database administrator, however, I need to allow users (not familiar with mySQL or HTML) to be able to manipulate the database in a limited way - no deleting tables or databases and no setting up tables or databases. While I like the phpMyAdmin it is too complicated with these end users and too dangerous. Therefore I have set up my own administrator that works pretty well for adding, editing and deleting records from already created tables.
My problem is quotes, phpMyAdmin handles them perfectly so that there is no extra coding in the output to handle them, however I can't figure it out and I always get slashes in the database that output to html pages. I know I can stripslashes, but phpMyAdmin accounts for it somehow and I don't have to do this for records input using that script. Does anyone know how to handle this totally from the administration side?
September 14th, 2000, 07:03 PM
You have to have the slashes in order to put it into the database, otherwise you'll get errors. Adding the slashes is usually done automatically, if magic_quotes is on. So you basically have to run stripslashes on the text you pull out of the databases. I'm sure PHPMyAdmin does this, too, it's just behind the scenes.
September 14th, 2000, 07:07 PM
I'm not sure how PHPMyAdmin sets up permissions for database users. If you read up on the GRANT command for MySQL, though, you'll learn how to do it yourself.
It is possible to create a database, put a few tables in it, then create users who only have access to that one database. You can decide whether to give them create access, so they can/cannot create other tables. You also decide whether the get select,insert,update,and delete commands for each of the tables. All of this is covered in the Mysql manual. I think you can go all the way down to where they can only manipulate one specific column of a table...
September 15th, 2000, 12:46 AM
In php.ini when magic_quotes_gpc is on, then all data passed TO the database is automatically escaped with the backslash. When magic_quotes_runtime is on, then data OUTPUT from a database to web pages is automatically unescaped (slashes are stripped). PHP generally installs with magic_quotes_gpc on but magic_quotes_runtime off, so if you edit php.ini and turn that on, your problems will most likely go away.
September 15th, 2000, 08:53 AM
Thanks for the reply. I don't know how phpMyAdmin is handling the slash problem, but when I add records using that adminstration program, I don't have to stripslashes when calling it back out. When I add using my program I dohave to stripslashes, so there is something that they are doing that is compensating for the that. I have requested a reply from the programmer, but I may never hear from that. I'll just keep on looking and in the meantime stripslashes when I call the info from the database.
As far as turning on or off magic quotes, I don't have control of that, so I will just have to improvise.
September 15th, 2000, 09:31 AM
PHP should be configured to have magic_quotes=on. In the module
version of PHP this can also be set on a per-directory base with php3_magic_quotes_gpc on in an .htaccess file or in your Apache's access.conf.
-----------------taken from the INSTALL file from phpmyadmin
September 15th, 2000, 10:20 AM
The information you have given is incorrect. magic_quotes_runtime DOES NOT remove escaping backslashes. From the php manual:
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.
If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.
Furthermore, it is NEVER necessary to remove escaping backslashes from data returned from a database IF the data was PROPERLY escaped when inserted AND IF magic_quotes_runtime is OFF. From the mysql manual:
There are several ways to include quotes within a string:
A `'' inside a string quoted with `'' may be written as `'''.
A `"' inside a string quoted with `"' may be written as `""'.
You can precede the quote character with an escape character (`').
A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.
The SELECT statements shown below demonstrate how quoting and escaping work:
mysql> SELECT 'hello', '"hello"', '""hello""', 'hel''lo', ''hello';
| hello | "hello" | ""hello"" | hel'lo | 'hello |
mysql> SELECT "hello", "'hello'", "''hello''", "hel""lo", ""hello";
| hello | 'hello' | ''hello'' | hel"lo | "hello |
mysql> SELECT "ThisnIsnFournlines";
To answer your question: There may be 2 or 3 things wrong here:
1) The strings are being double escaped. This can be caused by using addslashes() when magic_quotes_gpc is on, or by passing the data twice via GPC when magic_quotes_gpc is ON.
2) magic_quotes_runtime is on.
3) The data is read from the database and then passed to another script via GPC before being accessed and magic_quotes_gpc is on.
Answers to the various scenarios:
1) both unlikely, but if the data is sent using GPC more than once you'll need to use stripslashes() at some point to remove one set of escaping backslashes. If you are using addslashes(), stop, as magic_quotes_gpc is already escaping.
2) Most likely. You can use set_magic_quotes_runtime=0 at the top of each php page where you are selecting from the database. This will stop the magic_quotes_runtime directive from escaping data read from the db.
This directive is useful only in rare cases (transfering data from db to db or text file to db, etc) and should be OFF in most configurations, but, unfortunately, many administrators don't really know what they are doing and turn it on.
3) (Unlikely) You'll have to use stripslashes after passing the data.
September 15th, 2000, 10:25 AM
Ooops! The proper use is:
I failed to mention... you can use get_magic_quotes_gpc() and get_magic_quotes_runtime() to check their on/off status.
Note: there is no set_magic_quotes_gpc() function.
September 15th, 2000, 12:05 PM
Ya got me there :}
Yes, it's the other way around, and yes, magic_quotes_runtime was probably turned on, and since phpMyAdmin specifies addslashes() and stripslashes() for every function, this overrides any magic_quotes settings, so phpMyAdmin did not have that problem.
September 15th, 2000, 12:14 PM
Many, many thanks to all the responses, but I still don't know the solution to my problem. When entering records with phpMyAdmin, I do not have to stripslashes when calling it in web page. How are they accomplishing this?
September 15th, 2000, 12:42 PM
If you are getting extra backslashes in the fields in the database you are double escaping, which means:
a) You have magic_quotes_gpc on AND are using addslashes. SOLUTION: don't use addslashes()
b) You have magic_quotes_gpc on AND are passing the data via GPC more than once. Solution: don't pass them more than once or use stripslashes() to remove the extra set BEFORE inserting.
If, OTOH, you are not getting extra backslashes in the fields of the db, but see them when the records are selected in PHP, then you have magic_quotes_runtime on and need to turn it off before selecting with set_magic_quotes_runtime(0)
This is exactly what I wrote before... I don't know how to make it any plainer than that.
September 15th, 2000, 01:48 PM
I really appreciate all the help, I have figured out what I need to do and all is well. I guess I was asking for more than was possible. I will simply strip the slashes when calling it via php. I can make everything else work properly around that.