mysql_real_escape_string() chopping off after quotes

mysql_real_escape_string() is apparently chopping off anything that
follows a quote when I grab the data & put it in a form for editing.
Sorry if I'm not explaining this properly, I'm pretty confused about
what's going on but I'm guessing someone recognizes this problem.

I have code like this:

function db_safe($str) {
$str = addslashes($str);
return $str;
}

function html_safe($str) {
$str = stripslashes($str);
return $str;
}

That's on my live server, I'm not sure if magic quotes is on there or I
forgot to update because my test server version look like:

function db_safe($str) {
// $str = addslashes($str);
$str = mysql_real_escape_string($str);


Anyways then there's code like this:

if (isset($_REQUEST["submit"])) {
$latin_name = html_safe($_REQUEST["latin_name"]);


if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] == "update")) {
$id = $_REQUEST["id"];
$latin_name=db_safe($latin_name);


and this is where it's chopping off text after the quote:

Re: mysql_real_escape_string() chopping off after quotes

Paul Furman wrote:
> mysql_real_escape_string() is apparently chopping off anything that
> follows a quote when I grab the data & put it in a form for editing.
> Sorry if I'm not explaining this properly, I'm pretty confused about
> what's going on but I'm guessing someone recognizes this problem.


It's only chopping off for one of the fields with a single quote. Double
quote are OK. I don't see where I'm doing anything different with the
two fields.



> I have code like this:
>
> function db_safe($str) {
> $str = addslashes($str);
> return $str;
> }
>
> function html_safe($str) {
> $str = stripslashes($str);
> return $str;
> }
>
> That's on my live server, I'm not sure if magic quotes is on there or I
> forgot to update because my test server version look like:
>
> function db_safe($str) {
> // $str = addslashes($str);
> $str = mysql_real_escape_string($str);
>
>
> Anyways then there's code like this:
>
> if (isset($_REQUEST["submit"])) {
> $latin_name = html_safe($_REQUEST["latin_name"]);
>
>
> if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] ==
> "update")) {
> $id = $_REQUEST["id"];
> $latin_name=db_safe($latin_name);
>
>
> and this is where it's chopping off text after the quote:
>
>
> >
>
>
>


--
Paul Furman Photography
http://edgehill.net
Bay Natives Nursery
http://www.baynatives.com

Re: mysql_real_escape_string() chopping off after quotes

..oO(Paul Furman)

>mysql_real_escape_string() is apparently chopping off anything that
>follows a quote when I grab the data & put it in a form for editing.

It doesn't chop off anything, it's a bug in your output code.

>and this is where it's chopping off text after the quote:
>
> >

Two things:

* Don't rely on short open tags, use instead.

* Have a look at the generated HTML source code - it's all there, just
improperly escaped. When printing anything to an HTML page, use
htmlspecialchars() to escape those characters that have a special
meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
the manual for details.

http://www.php.net/htmlspecialchars

Micha

Re: mysql_real_escape_string() chopping off after quotes

Michael Fesser wrote:

> .oO(Paul Furman)
>
>>mysql_real_escape_string() is apparently chopping off anything that
>>follows a quote when I grab the data & put it in a form for editing.
>
> It doesn't chop off anything, it's a bug in your output code.
>
>>and this is where it's chopping off text after the quote:
>>
>> >>


Ah, thank you!!

The bad field was using single quotes:
value=''>

The good field had double quotes:
value="">


> Two things:
>
> * Don't rely on short open tags, use instead.

Yes, thanks, my code is quite a mess, partly due to collaboration. I
wondered why some were done in that fashion, now I know it's not good
practice.

> * Have a look at the generated HTML source code - it's all there, just
> improperly escaped. When printing anything to an HTML page, use
> htmlspecialchars() to escape those characters that have a special
> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
> the manual for details.
>
> http://www.php.net/htmlspecialchars

Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().


--
Paul Furman Photography
http://edgehill.net
Bay Natives Nursery
http://www.baynatives.com

Re: mysql_real_escape_string() chopping off after quotes

Paul Furman wrote:
> mysql_real_escape_string() is apparently chopping off anything that
> follows a quote when I grab the data & put it in a form for editing.
> Sorry if I'm not explaining this properly, I'm pretty confused about
> what's going on but I'm guessing someone recognizes this problem.
>
> I have code like this:
>
> function db_safe($str) {
> $str = addslashes($str);
> return $str;
> }
>
> function html_safe($str) {
> $str = stripslashes($str);
> return $str;
> }
>
> That's on my live server, I'm not sure if magic quotes is on there or I
> forgot to update because my test server version look like:
>
> function db_safe($str) {
> // $str = addslashes($str);
> $str = mysql_real_escape_string($str);
>
>
> Anyways then there's code like this:
>
> if (isset($_REQUEST["submit"])) {
> $latin_name = html_safe($_REQUEST["latin_name"]);
>
>
> if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] ==
> "update")) {
> $id = $_REQUEST["id"];
> $latin_name=db_safe($latin_name);
>
>
> and this is where it's chopping off text after the quote:
>
>
> >
>
>
>

Check your page source code - you'll probably find it there.

You shouldn't be calling mysql_real_escape_string() on data which is to
be displayed. It should only be called for data you're passing on a
database call.

And if you're going to display it, you should be calling htmlentities as
you display it.

Don't keep the data in your program in either mysql or html encoded
format. Keep the pure string and just massage it as necessary, ie.

value="">

Also note that I'm not using short tags. Too many hosts have it disabled.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: mysql_real_escape_string() chopping off after quotes

Paul Furman wrote:

> Michael Fesser wrote:
>
>> When printing anything to an HTML page, use
>> htmlspecialchars() to escape those characters that have a special
>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
>> the manual for details.
>>
>> http://www.php.net/htmlspecialchars
>
> Thanks again, it sounds like I should run that in my html_safe()
> function along with stripslashes().

Just a followup on the htmlspecialchars idea, I tried it & had to
disable it... if I used that, I'd need to be more selective than my
html_safe function because it disabled my ability to add content from
the admin interface with links & images. But thanks for mentioning it.

--
Paul Furman Photography
http://edgehill.net
Bay Natives Nursery
http://www.baynatives.com

Re: mysql_real_escape_string() chopping off after quotes

Paul Furman wrote:
> Paul Furman wrote:
>
>> Michael Fesser wrote:
>>
>>> When printing anything to an HTML page, use
>>> htmlspecialchars() to escape those characters that have a special
>>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
>>> the manual for details.
>>>
>>> http://www.php.net/htmlspecialchars
>>
>> Thanks again, it sounds like I should run that in my html_safe()
>> function along with stripslashes().
>
> Just a followup on the htmlspecialchars idea, I tried it & had to
> disable it... if I used that, I'd need to be more selective than my
> html_safe function because it disabled my ability to add content from
> the admin interface with links & images. But thanks for mentioning it.
>

If it's affecting links and images, you aren't being selective enough!

Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: mysql_real_escape_string() chopping off after quotes

Jerry Stuckle wrote:
> Paul Furman wrote:
>> Paul Furman wrote:
>>> Michael Fesser wrote:
>>>
>>>> When printing anything to an HTML page, use
>>>> htmlspecialchars() to escape those characters that have a special
>>>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
>>>> the manual for details.
>>>>
>>>> http://www.php.net/htmlspecialchars
>>>
>>> Thanks again, it sounds like I should run that in my html_safe()
>>> function along with stripslashes().
>>
>> Just a followup on the htmlspecialchars idea, I tried it & had to
>> disable it... if I used that, I'd need to be more selective than my
>> html_safe function because it disabled my ability to add content from
>> the admin interface with links & images. But thanks for mentioning it.
>
> If it's affecting links and images, you aren't being selective enough!
>
> Like any other function - call it if you need to. But it's not meant to
> be called for everything you're displaying.

Yes, agreed. My html_safe() function is being applied to anything that
leaves the mySQL database and anything entering gets the db_safe()
function applied. I don't really know why I'd need it except as a
catch-all at this point but good to know it exists if I encounter these
problems again and another handy way to display html code without being
interpreted by the browser.

--
Paul Furman Photography
http://edgehill.net
Bay Natives Nursery
http://www.baynatives.com

Re: mysql_real_escape_string() chopping off after quotes

Paul Furman wrote:
> Jerry Stuckle wrote:
>> Paul Furman wrote:
>>> Paul Furman wrote:
>>>> Michael Fesser wrote:
>>>>
>>>>> When printing anything to an HTML page, use
>>>>> htmlspecialchars() to escape those characters that have a special
>>>>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag.
>>>>> See
>>>>> the manual for details.
>>>>>
>>>>> http://www.php.net/htmlspecialchars
>>>>
>>>> Thanks again, it sounds like I should run that in my html_safe()
>>>> function along with stripslashes().
>>>
>>> Just a followup on the htmlspecialchars idea, I tried it & had to
>>> disable it... if I used that, I'd need to be more selective than my
>>> html_safe function because it disabled my ability to add content from
>>> the admin interface with links & images. But thanks for mentioning it.
>>
>> If it's affecting links and images, you aren't being selective enough!
>>
>> Like any other function - call it if you need to. But it's not meant
>> to be called for everything you're displaying.
>
> Yes, agreed. My html_safe() function is being applied to anything that
> leaves the mySQL database and anything entering gets the db_safe()
> function applied. I don't really know why I'd need it except as a
> catch-all at this point but good to know it exists if I encounter these
> problems again and another handy way to display html code without being
> interpreted by the browser.
>

Yep, but I just call mysql_real_escape_string() on the data as it is
being inserted into the database, i.e.

$result = mysql_query('INSERT INTO mytable VALUES (' .
mysql_real_escape_string($val) . ')');

Or if I'm going to display the data:

echo htmlspecialchars($val);

I don't change the variable itself. I might need it in it's "pure form"
again.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================