|
PHP - Don't Display Escape Characters
I've got a basic text input area within a form for users to add a brief bio about themselves. I made sure to use mysql_real_escape_string to avoid problems with special characters. However, when I want to display the content within the text area when a user chooses to update or change their bio, the text displays the escape characters.
How do I display data from my db without the user having to deal with the escape characters? Similar TutorialsHello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.
The issue: When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:
$val = str_replace(chr('NUL'), '\0', $val);
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);
Thanks
I am having problems understanding how to sanitize my form data so it is safe to INSERT. If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = mysqli_real_escape_string($dbc, $trimmed['body']); And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O\'Reilly\'s book --------- If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = $trimmed['body']; And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O'Reilly's book Why the strange behavior?? Debbie Hello
I am still fairly new to the PDO / mysqli thing and I would really appreciate some help with escaping special characters from the below code.
$sth = ("SELECT * from table WHERE field1 = '$bob' and field2 != ''");
foreach ($dbh->query($sth) as $row) {
$who = $row['field2'];
$why = $row['field1'];
$dbh1->query("UPDATE table SET who = '$who', date = '$row[DATE]', time = '$row[TIME]' WHERE field1 = '$why'")or die(mysqli_error($db));
}
I have tried using the prepared statement as well as the mysqli_real_escape_string but sees the code results as an object.
Any help or comments would be greatly appreciated.
Hey I wasn't able to add/edit some text to the mysql database because of some character how can i bypass them should i use the mysql_real_escape_string() ? if yes how do i make it work with the code i got? thaks <?php include "../configdb.php"; $id = $_GET['id']; if(isset($_POST['submit'])) { //global variables $name = $_POST['name']; $footer = $_POST['footer']; //run the query which adds the data gathered from the form into the database $result = mysql_query("UPDATE pages SET name='$name', footer='$footer' WHERE id='$id' ",$connect); echo "<b>Your Page have been edited successfully"; // echo "<meta http-equiv=Refresh content=2;url=index.php>"; } elseif($id) { $result = mysql_query("SELECT * FROM pages WHERE id='$id' ",$connect); while($row = mysql_fetch_assoc($result)) { ?> <h3>::Edit Page</h3> <form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>?id=<?php echo $row['id']?>"> <input type="hidden" name="id" value="<?php echo $row['id']?>"> <textarea name="name"><?php echo $row['name']?></textarea> <input name="footer" size="40" maxlength="255" value="<?php echo $row['footer']?>"> <input type="submit" name="submit" value="Submit"> <?php } } ?> I have a MySQL DB table and DB column with utf8_unicode_ci collation. I'm getting two columns out of the DB, one with the name of a language in English, the other a name of the language in the native tongue. The values in the database store/display properly from PHP MyAdmin. However, the "native-tongue" text does not display properly on the site. (See attached image.) I tried htmlentities( $str, ENT_COMPAT, 'UTF-8' ) for displaying, but that seems to make things worse (French, Portuguese, Spanish, and Turkish all display as empty; something I have not seen before). I thought that the htmlentities function should cure this, but since it does not, I am stumped. Any help is appreciated. Hi guys, I am still working on the same code, but encountered another problem. I have a form that takes imput to a MySQL database. It is 5 fields (id,title,category,content,tags). Then I have form a new page that searches with FullText on the (title and tags) fields and echos a link with the content of the result like this: $link = "<h2><a class='example7' href='tutorial.php?id=" . $rowS['id'] . "&title=" . htmlentities($rowS['title'], ENT_QUOTES) . "&category=" . htmlentities($rowS['category'], ENT_QUOTES) . "&content=" . htmlentities($rowS['content'], ENT_QUOTES) . "&tags=" . htmlentities($rowS['tags'], ENT_QUOTES) . "'>" . htmlentities($rowS['title'], ENT_QUOTES) . "</a></h2><br><br>"; Then when the user clicks this link, it takes them to the tutorial.php page that all it does is echo the content passed by this link and make it look nice. The problem is that when the data of the content field is greater than 3972 characters in length it doesn't generate the code in the tutorial.php page. It's like if the url is too long to be passed or something... Is that my problem that I'm passing the content in a url? If that is the problem then how can I correct it? How else can I pass the result from the link to the tutorial.php page? I have a problem with the three special characters in the Danish language: æ, ø and å. I have created a database with a simple table manually within phpMyAdmin, and I have added contents, which is text with the letters mentioned. Everythings looks correct in here. But when I get the content of the database written out via a php document, these three letters are replaced with a box sign. In phpMyAdmin I chose "utf8_danish_ci" as collation. And here is the code of the php document writing out the content of the database table, named "lille_tabel", with the password written with stars.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
$server = "localhost";
$brugernavn = "root";
$kodeord = "************";
$db = "lille";
mysql_connect($server,$brugernavn,$kodeord) or die(mysql_error());
echo "Forbundet til MySQL server<br/>";
mysql_select_db($db) or die(mysql_error());
echo "Forbundet til Databasen<br/>";
$data = mysql_query("SELECT * FROM lilletabel") or die(mysql_error());
while ($info = mysql_fetch_array($data))
{
echo "ID: ".$info['id']."<br/>";
echo "Navn: ".$info['navn']."<br/>";
echo "Tekst: ".$info['tekst']."<br/>"."<br/>";
}
?>
</body>
</html>
By the way: I use Dreamweaver. I hope someone have suggestions to pinpoint the problem ...
Regards,
Erik
Hi guys, I think escaping is the correct term, apologies if its not. Could anyone show me how I can escape this so it works? Thanks Code: [Select] echo "[ - <a href="/$dir/game_play.php">Play</a> - ]"; Hey! Code: [Select] echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly? I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this: Code: [Select] Hi everyone. <b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other? Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance I haven't coded HTML or PHP in several years and am trying to get back into it. Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest. Maybe it was using something like { } but I don;t recall. I also seem to recall that wisely choosing where to use single (') and double (") quote was key! For example, how could this code be cleaner?
echo '<table id="membershipPlans"> <!-- Column Groups --> <colgroup> <col id="feature">'."\r"; foreach ($plan_names as $p_id => $p_name): echo '<col id="option0'.$p_id.'">'."\r"; endforeach; echo '</colgroup>";
Hi, when i submit the form using the following text... -1 OR 1=1) AND 1=(SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@VERSION),1,1)),0)>25),1,2)) that was sent by the hacker in my website i am trying to escape the above and filter it ... am using the mysql_Real_escape_string and trim function.. but nothing escaped... can u give me a suggestion , pls help me Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> I'm using a PHP foreach loop to set Javascript array values from PHP array values The problem is that some of the array values contain double quotes(") so it compromises the JS script. Is there a PHP function that automatically escapes each double quote in a given string? My hosts version of php just seems to automatically add the backslashes. Adding the escape string just seems to add like 3 of them rather than 1 Is this command out-of-date? Hi, I have a site where users can register etc. I was wondering should I use mysql_real_escape_string() for the elements on my registration form example email, name and so on or is it no necessary? One more question could some one tell is this the proper way to use it before inserting into the database. $name=$_POST['name']; mysql_real_escape_string($name) ? Hi,
I'm currently passing an array of values to be updated in my database, but am struggling on the best way to escape the quotation marks around the NOW statement below, as understand this will only work without them. This is what is being passed to the DB which does not currently work. I'm seeking some help to find the best way to remove the "" from around the NOW statement, but retain it in the array structure which i believe needs the '' to understand its a value. UPDATE staff SET staff_last_login="NOW()" WHERE staff_id="1"
array('staff_last_login'=>'NOW()')
My question is - whats the best way to escape this?
I understand forward slashes can sometimes be used, and double quotes - but feel like i have exhausted all my known options.
Any help much appreciated.
MoFish
|
|||||||