output escaping problem

output escaping problem

am 13.08.2007 15:12:15 von puginews

Before I save input from a form to a database I use (after input
filtering) mysql_real_escape_string.
This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
To display this data from database in browser, I use stripslashes and
htmlentities.
So far so good.

But what if input is for example a location:
D:\data\folder\file.exe. Escaped this becomes D:\\data\\folder\
\file.exe
No problem here, but how can I display this in a browser again ?
Stripslashes removes \ as well as \\, so I am left with
D:datafolderfile.exe This is not what I want, I want it to show D:\data
\folder\file.exe.


Pugi!

Re: output escaping problem

am 13.08.2007 15:29:55 von luiheidsgoeroe

On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! wrote:

> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus

Re: output escaping problem

am 13.08.2007 15:29:55 von luiheidsgoeroe

On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! wrote:

> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus

Re: output escaping problem

am 15.08.2007 02:40:46 von charlespb69

On Aug 13, 6:29 am, Rik wrote:
> On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! wrote:
> > Before I save input from a form to a database I use (after input
> > filtering) mysql_real_escape_string.
> > This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
>
> No, it means the characters that need escaping are escaped when inserting
> in the database, so the data in the database is _the_same_ as your
> original string. Unless somthing like magic_quotes_gpc() is enabled, in
> which case you should use stripslashes() on the string before using
> mysql_real_escape_string() on it.
>
> > To display this data from database in browser, I use stripslashes and
> > htmlentities.
> > So far so good.
>
> Nope, just drop the stripslashes.
> --
> Rik Wasmus

When using mysql_real_escape_string you don't need to use stripslashes

Re: output escaping problem

am 15.08.2007 02:40:46 von charlespb69

On Aug 13, 6:29 am, Rik wrote:
> On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! wrote:
> > Before I save input from a form to a database I use (after input
> > filtering) mysql_real_escape_string.
> > This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
>
> No, it means the characters that need escaping are escaped when inserting
> in the database, so the data in the database is _the_same_ as your
> original string. Unless somthing like magic_quotes_gpc() is enabled, in
> which case you should use stripslashes() on the string before using
> mysql_real_escape_string() on it.
>
> > To display this data from database in browser, I use stripslashes and
> > htmlentities.
> > So far so good.
>
> Nope, just drop the stripslashes.
> --
> Rik Wasmus

When using mysql_real_escape_string you don't need to use stripslashes

Re: output escaping problem

am 15.08.2007 02:45:27 von Michael Fesser

..oO(charlespb69)

>When using mysql_real_escape_string you don't need to use stripslashes

Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Micha

Re: output escaping problem

am 15.08.2007 02:45:27 von Michael Fesser

..oO(charlespb69)

>When using mysql_real_escape_string you don't need to use stripslashes

Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Micha

Re: output escaping problem

am 15.08.2007 10:51:48 von luiheidsgoeroe

On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser wrote:

> .oO(charlespb69)
>
>> When using mysql_real_escape_string you don't need to use stripslashes
>
> Depends on the setting of magic quotes. If they are enabled, you should
> use stripslashes() before doing anything else.

Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus

Re: output escaping problem

am 15.08.2007 10:51:48 von luiheidsgoeroe

On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser wrote:

> .oO(charlespb69)
>
>> When using mysql_real_escape_string you don't need to use stripslashes
>
> Depends on the setting of magic quotes. If they are enabled, you should
> use stripslashes() before doing anything else.

Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus

Re: output escaping problem

am 16.08.2007 06:27:30 von charlespb69

On Aug 15, 1:51 am, Rik wrote:
> On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser wrote:
> > .oO(charlespb69)
>
> >> When using mysql_real_escape_string you don't need to use stripslashes
>
> > Depends on the setting of magic quotes. If they are enabled, you should
> > use stripslashes() before doing anything else.
>
> Yup, and they're a big pain, so if you get the chace, disable those magic
> bastards. Getting the real data provided is in the end so much easier.
> --
> Rik Wasmus

With my hosting provider I have access to the php.ini file so I can
turn off magic-quotes.

Re: output escaping problem

am 16.08.2007 06:27:30 von charlespb69

On Aug 15, 1:51 am, Rik wrote:
> On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser wrote:
> > .oO(charlespb69)
>
> >> When using mysql_real_escape_string you don't need to use stripslashes
>
> > Depends on the setting of magic quotes. If they are enabled, you should
> > use stripslashes() before doing anything else.
>
> Yup, and they're a big pain, so if you get the chace, disable those magic
> bastards. Getting the real data provided is in the end so much easier.
> --
> Rik Wasmus

With my hosting provider I have access to the php.ini file so I can
turn off magic-quotes.