apostrophes everywhere

Having a weird problem.

Here's the call:

DBAddBlog($blog, $today);


And here's the function
/***********************************************************
* FUNCTION: DBAddBlog($blog, $today)
*
* DESCRIPTION: adds the blog
*
* RETURNED: nothing
**********************************************************/
function DBAddBlog($blog, $today)
{
mysql_query("UPDATE `table` SET `id` = '3' WHERE `id` =2");
mysql_query("UPDATE `table` SET `id` = '2' WHERE `id` =1");
mysql_query("INSERT INTO `table` ( `id` , `date` , `blog` ) VALUES ('1',
'$today', '$blog')");
mysql_query("DELETE FROM `table` WHERE `id` ='3' ");
}



Everything get's run except for the INSERT INTO if there is an apostrophe in
the value $blog. If I replace the apostrophe with ' it works fine.

On my server I'm running PHP 4.4 and mySQL 4.1.16. I design there and
publish elsewere. On my server everything works fine all the time, but on
the production server I'm running PHP 4.3.11 and MySQL 4.1.12 that's where
i'm having problems with the apostrophe.

~Drew
www.drewpydraws.com

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: apostrophes everywhere

Andrew Darrow wrote:
> Everything get's run except for the INSERT INTO if there is an apostrophe in
> the value $blog. If I replace the apostrophe with ' it works fine.
>
> On my server I'm running PHP 4.4 and mySQL 4.1.16. I design there and
> publish elsewere. On my server everything works fine all the time, but on
> the production server I'm running PHP 4.3.11 and MySQL 4.1.12 that's where
> i'm having problems with the apostrophe.

RTFM: http://php.net/mysql_real_escape_string and
http://php.net/magic_quotes

-Stut

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: apostrophes everywhere

Firstly, I believe I speak on behalf of the other users on this list
when I tell you that I do NOT need a secondary copy of your email posted
on this mailing list with a different subject, I am quite capable of
reading the first one.


Finally, I would suggest looking into the htmlspecialchars($str)
function or as the previous poster pointed out, check out the manuals in
relation to string/HTML escaping routines.


Next, just as I look over that snippet I spot a little anamoly, or is it
just me?

mysql_query("DELETE FROM `table` WHERE `id` ='3' ");

is placed AFTER you have set the previous record that used to hold 2 in
its 'id' field to 3.

Therefore are you not deleting two records here? I would assume so.. You
are deleting the oldest one, and also the second oldest.

I would recommend placing the deletetion statement BEFORE you change the
2nd oldest record to the 3rd. :-)

Order of operations is critical here.


tata!


---oOo--- Allowing users to execute CGI scripts in any directory should
only be considered if: ... a.. You have no users, and nobody ever visits
your server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@the-spectrum.org
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Stut"
To: "Andrew Darrow"
Cc:
Sent: Sunday, February 19, 2006 9:27 AM
Subject: Re: [PHP-DB] apostrophes everywhere


> Andrew Darrow wrote:
>> Everything get's run except for the INSERT INTO if there is an
>> apostrophe in
>> the value $blog. If I replace the apostrophe with ' it works
>> fine.
>>
>> On my server I'm running PHP 4.4 and mySQL 4.1.16. I design there and
>> publish elsewere. On my server everything works fine all the time,
>> but on
>> the production server I'm running PHP 4.3.11 and MySQL 4.1.12 that's
>> where
>> i'm having problems with the apostrophe.
>
> RTFM: http://php.net/mysql_real_escape_string and
> http://php.net/magic_quotes
>
> -Stut
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date:
> 17/02/2006
>
>



--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 17/02/2006

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: apostrophes everywhere

My apologies for the duplicate post. In an effort to keep everything I
subscribe to from cluttering my inbox I setup a secondary address for my
subscriptions. Normally when I accidently post to a list from my primary
address it simply bounces back and tells me to subscribe. I'm not sure why
it didn't this time (shrug), and hadn't noticed that it was sent out before
I sent out the second one.

I do see what you mean by the order of operations. This could be written in
3 sql_queries instead of 4. While this particular project isn't that taxing
on my server, my next project is similar, but on a much larger scale. Thanks
for the tip.

I looked at serveral of the function suggestions and indeed stumbled accross
htmlspecialchars when doing research on another suggestion:
mysqli_real_escape_string which I couldn't use since I'm not on PHP5. While
htmlspecialchars may not offer as much security as the later it should would
for my purposes.

Thanks for your help, and again sorry for the duplicate post. I'm really not
an idiot, I just have to many e-mail address.


~Drew
www.drewpydraws.com

----- Original Message -----
From: "Julien Bonastre"
To: "Stut" ;
Sent: Sunday, February 19, 2006 10:16 PM
Subject: Re: [PHP-DB] apostrophes everywhere


> Firstly, I believe I speak on behalf of the other users on this list
> when I tell you that I do NOT need a secondary copy of your email posted
> on this mailing list with a different subject, I am quite capable of
> reading the first one.
>
>
> Finally, I would suggest looking into the htmlspecialchars($str)
> function or as the previous poster pointed out, check out the manuals in
> relation to string/HTML escaping routines.
>
>
> Next, just as I look over that snippet I spot a little anamoly, or is it
> just me?
>
> mysql_query("DELETE FROM `table` WHERE `id` ='3' ");
>
> is placed AFTER you have set the previous record that used to hold 2 in
> its 'id' field to 3.
>
> Therefore are you not deleting two records here? I would assume so.. You
> are deleting the oldest one, and also the second oldest.
>
> I would recommend placing the deletetion statement BEFORE you change the
> 2nd oldest record to the 3rd. :-)
>
> Order of operations is critical here.
>
>
> tata!
>
>
> ---oOo--- Allowing users to execute CGI scripts in any directory should
> only be considered if: ... a.. You have no users, and nobody ever visits
> your server. ... Extracted Quote: Security Tips - Apache HTTP
> Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
> [The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
> julien@the-spectrum.org
> www.the-spectrum.org ------oOo---------------oOo------
> ----- Original Message -----
> From: "Stut"
> To: "Andrew Darrow"
> Cc:
> Sent: Sunday, February 19, 2006 9:27 AM
> Subject: Re: [PHP-DB] apostrophes everywhere
>
>
> > Andrew Darrow wrote:
> >> Everything get's run except for the INSERT INTO if there is an
> >> apostrophe in
> >> the value $blog. If I replace the apostrophe with ' it works
> >> fine.
> >>
> >> On my server I'm running PHP 4.4 and mySQL 4.1.16. I design there and
> >> publish elsewere. On my server everything works fine all the time,
> >> but on
> >> the production server I'm running PHP 4.3.11 and MySQL 4.1.12 that's
> >> where
> >> i'm having problems with the apostrophe.
> >
> > RTFM: http://php.net/mysql_real_escape_string and
> > http://php.net/magic_quotes
> >
> > -Stut
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date:
> > 17/02/2006
> >
> >
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date:
17/02/2006
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: apostrophes everywhere

sub@drewpydraws.com wrote:

>I looked at serveral of the function suggestions and indeed stumbled accross
>htmlspecialchars when doing research on another suggestion:
>mysqli_real_escape_string which I couldn't use since I'm not on PHP5. While
>htmlspecialchars may not offer as much security as the later it should would
>for my purposes.
>
>
Just to clarify, my suggestion was mysql_real_escape_string, not
mysqli_real_escape_string. The former is available on PHP4 >= 4.3.0 and
PHP5. That's the function the link I posted goes to
(http://php.net/mysql_real_escape_string).

-Stut

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php