On 19-Dec-2001 TD - Sales International Holland B.V. wrote:
> On Wednesday 19 December 2001 13:12, you wrote:
>
> "test\"" === 'test"' evals true :-)
> what I don't get however, the second the var is set like
> $string = "escaping \" quotes";
> the backslash dissapears in the variable. The backslash is no longer there
> thus so having the statement
>
> mysql_query("insert into table values(\"$string\")");
> would be interpreted:
> mysql_query("insert into table values(\"test"\")");
> in which case the quote shouldn't appear in the database cause it will see
> that as delimiter of the first one, however I think the mysql_query fixes
> this by adding a backslash to it which is interpreted by mysql again cause
> it
> doesn't store the backslash. The only problem i still have is HTML. If i
> insert quotes into a field and retrieve them for my form like this:
> <INPUT TYPE=TEXT NAME="name" VALUE="$string">
> the value will stop at the first quote in the string dropping the rest on
> the
> floor since it doesn't recognize is (most likely) as a tag. So there an
> exploit there (only HTML/Javascript though not PHP) since you could insert a
> field like
> value"><script bla bla bla insert your favorite site mess'm'upper javascript
> here></script><!-- --
>
> so i need to fix that. otherwise it goes fine. normally i'd understand this
> perfectly but with all these magic quotes and the mysql functions
> appearantly
> adding the backslashes for escaping and PHP automatically type casting of
> variables it has become vague as hell to me :/
>
> thanks for the help so far people, the sky is finally clearing up :-)
>
Where possible, I'll use single quoting to avoid chasing down silly escape
errors:
mysql_query("insert into table values('$string')");
Try it. Makes life easier.
Regards,
--
Don Read [EMAIL PROTECTED]
-- It is necessary for me to learn from others' mistakes. I
will not live long enough to make them all by myself.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
