addslashes, mysql_real_escape_string or magic_quotes_gpc?

Hi
I have a webform with many free text fields and have a problem with
apostrophes and single quotes as this breaks the mysql query string.

I obviously need to escape these characters - magic_quotes_gpc sounds
ideal but is not an option as I don't have access to the php.ini file
and it is currently set to 0.

I could use either addslashes or mysql_real_espcape_string but do I
have to apply this to every field individually or is there a way to do
it to all in one go?
Any advice on the most suitable method and how to do it in one go
would be greatly appreciated.

Many thanks
Redge
P.S please reply to this group rather than by email - thanks

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

On Tue, 16 Oct 2007 18:32:12 +0200, wrote:

> Hi
> I have a webform with many free text fields and have a problem with
> apostrophes and single quotes as this breaks the mysql query string.
>
> I obviously need to escape these characters - magic_quotes_gpc sounds
> ideal but is not an option as I don't have access to the php.ini file
> and it is currently set to 0.
>
> I could use either addslashes or mysql_real_espcape_string but do I
> have to apply this to every field individually or is there a way to do
> it to all in one go?
> Any advice on the most suitable method and how to do it in one go
> would be greatly appreciated.


http://www.php.net/array_map is your friend.


--
Rik Wasmus

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

"Rik Wasmus" wrote in
news:op.t0autvy75bnjuv@metallium.lan:

> On Tue, 16 Oct 2007 18:32:12 +0200, wrote:
>
>> Hi
>> I have a webform with many free text fields and have a problem with
>> apostrophes and single quotes as this breaks the mysql query string.
>>
>> I obviously need to escape these characters - magic_quotes_gpc sounds
>> ideal but is not an option as I don't have access to the php.ini file
>> and it is currently set to 0.
>>
>> I could use either addslashes or mysql_real_espcape_string but do I
>> have to apply this to every field individually or is there a way to do
>> it to all in one go?
>> Any advice on the most suitable method and how to do it in one go
>> would be greatly appreciated.
>
>
> http://www.php.net/array_map is your friend.

just make sure not to apply it to form variables which are arrays!

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

On Oct 16, 12:32 pm, red...@hotmail.com wrote:
> Hi
> I have a webform with many free text fields and have a problem with
> apostrophes and single quotes as this breaks the mysql query string.
>
> I obviously need to escape these characters - magic_quotes_gpc sounds
> ideal but is not an option as I don't have access to the php.ini file
> and it is currently set to 0.

Don't use magic quotes. Not only is it going away but it will just
make things more difficult in the long run.

>
> I could use either addslashes or mysql_real_espcape_string but do I
> have to apply this to every field individually or is there a way to do
> it to all in one go?
> Any advice on the most suitable method and how to do it in one go
> would be greatly appreciated.
>

People often just escape everything in the $_GET and $_POST arrays
before doing anything with their values. While that might "work," I
really don't recommend it. It's lazy and confines you in several
ways. What if you need to use that data somewhere besides a query?
What if using it elsewhere requires a different kind of escaping (like
htmlentities)?

Escaping should be done as close as possible to the point where it
needs to be escaped -- in the case of SQL queries, escape the data
when you use it in the query:

$query = 'update foo set bar = "' .
mysql_real_escape_string($_GET['baz']) . '" where xyzzy = 42';

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

redog6@hotmail.com wrote:
> Hi
> I have a webform with many free text fields and have a problem with
> apostrophes and single quotes as this breaks the mysql query string.
>
> I obviously need to escape these characters - magic_quotes_gpc sounds
> ideal but is not an option as I don't have access to the php.ini file
> and it is currently set to 0.
>
> I could use either addslashes or mysql_real_espcape_string but do I
> have to apply this to every field individually or is there a way to do
> it to all in one go?
> Any advice on the most suitable method and how to do it in one go
> would be greatly appreciated.
>
> Many thanks
> Redge
> P.S please reply to this group rather than by email - thanks
>
>

mysql_real_escape_string() - that's what it's made for.

And yes, you need to apply it to each field separately.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

In our last episode,
<1192552332.205530.150500@v29g2000prd.googlegroups.com>, the lovely and
talented redog6@hotmail.com broadcast on comp.lang.php:

> I could use either addslashes or mysql_real_espcape_string but do I have
> to apply this to every field individually or is there a way to do it to
> all in one go? Any advice on the most suitable method and how to do it in
> one go would be greatly appreciated.


See the "best practice" example in the mysql_real_escape_string page of the
manual. Basically, you want to turn off magic quotes if you can, or test
for magic quotes and undo them if they are on in case you cannot turn them
off. You want to use mysql_real_escape_string, but only on stuff that is
going into a query and you want to use it as close to where you put the
query together as you can (mysql_real_escape_string will not work, or will
not work right unless you have established the db connection that you want
to use -- and if the link you want to use is not the one you most recently
established, you must specify the one you want to use).

--
Lars Eighner
Countdown: 461 days to go.
What do you do when you're debranded?

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

Many thanks to you all for a useful and speedy response! Best Redge

Re: addslashes, mysql_real_escape_string or magic_quotes_gpc?

On Tue, 16 Oct 2007 19:01:47 +0200, Good Man wrote:

> "Rik Wasmus" wrote in
> news:op.t0autvy75bnjuv@metallium.lan:
>
>> On Tue, 16 Oct 2007 18:32:12 +0200, wrote:
>>
>>> Hi
>>> I have a webform with many free text fields and have a problem with
>>> apostrophes and single quotes as this breaks the mysql query string.
>>>
>>> I obviously need to escape these characters - magic_quotes_gpc sounds
>>> ideal but is not an option as I don't have access to the php.ini file
>>> and it is currently set to 0.
>>>
>>> I could use either addslashes or mysql_real_espcape_string but do I
>>> have to apply this to every field individually or is there a way to do
>>> it to all in one go?
>>> Any advice on the most suitable method and how to do it in one go
>>> would be greatly appreciated.
>>
>>
>> http://www.php.net/array_map is your friend.
>
> just make sure not to apply it to form variables which are arrays!

Indeed, Good Practise would to be leave those arrays always 'as is' and
intact (hence magic_guotes are evil), and just copy the data you need from
it.
--
Rik Wasmus