PHP - Escaping Data Going Wrong

Hi,

I have set up a simple function so that when a user enters a title in a php form, php gives the first letter of each word a capital letter. As follows:

function caps($text){
$search_text=$text;
$search_text=ucwords(strtolower($search_text));
$look_for = "(a";
$change_to = "(A";
$changed_text = str_replace($look_for, $change_to, $search_text);
$search_text=$changed_text;
$look_for = "(b";
$change_to = "(B";
$changed_text = str_replace($look_for, $change_to, $search_text);
$search_text=$changed_text;
$look_for = "(c";
$change_to = "(C";

//...etc...etc.. up to

$look_for = "(z";
$change_to = "(Z";
$changed_text = str_replace($look_for, $change_to, $search_text);
$search_text=$changed_text;
return $search_text;

}

The trouble is, if I were to enter the following "The secret of DNA", my function would return "The Secret Of Dna" (removes the caps). Any ideas how to get around this would be most useful. Thanks in advance.

Russ

Do I need to escape variables passed via link? Is it possible that someone does an SQL Injection via unescaped $_GET variable? (Yes I am using it in an SQL query, not inserting it into a DB tho)

Quote from: Mike Solstice on April 14, 2011, 12:24:45 AM

Ok, that works if I run it CLI or though phpMyAdmin, but won't if I try it in php

Code: [Select]
$remcomma = "UPDATE top_train SET deaths = replace( replace(field_name, ',', ''), '"', '' )";
mysql_query($remcomma);

I assume because of the quotes used in the regex. I tried escaping the "

Code: [Select]
$remcomma = "UPDATE top_train SET deaths = replace( replace(field_name, ',', ''), '\"', '' )";
mysql_query($remcomma);

Which broke it altogether. Anyone have any ideas?

Thanks!



Moved here since that thread was marked as solved & it's more of a PHP issue at this point anyway. Any & all help is greatly appreciated!

I have a table with two columns A and B.  I'm submitting a form where the user selects different checkboxes.   Column A contains the values of all the checkboxes.  I want to, after the form is submitted, using the array of values of randomly checked checkboxes, search the table for the corresponding values in column B.  Then display the values of selected checkboxes and their cosesponding values from column B. 
First I did an implode() on the array of submitted checkbox values,
Code: [Select]
$list = "'".implode("','", $_POST['Ref'])."'"; then did a mysql_real_escape_string on that.
Code: [Select]
for($i=0;$i<$count;$i++)
     {
$list = mysql_real_escape_string($list[$i]);
} I got a
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO)
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established
for each row of $list.
What am I doing wrong? 

Im getting a syntax error caused by the first line. How do I properly escape the code? echo "<tr class="'.$colors[$i++ % 2].'">
<td align=center  nowrap>($phone1) XXX-$phone2</td>
<td align=center  nowrap>$overall</td>
<td align=center  nowrap>$hygiene</td>
<td align=center  nowrap>$attitude</td>
<td align=center  nowrap>$ethnicity</td>
<td align=center  nowrap>$body</td>
<td align=center  nowrap>$city</td>
<td align=center  nowrap>$user</td>
<td align=center  nowrap>$date</td>
<td align=center  nowrap>$comment</td>
</tr>";

Hi Php Freaks

I am trying to escape variable but I am lost. I am sure that it is easy. can anyone help ta

Code: [Select]
$y="\\$GLOBALARRAY = array(   \n";
echo $y;

Hello!

I'm very new to PHP, and I'm sure this is a noob question - still, its got me stuck!

How would I best escape this properly?

$resizeObj = new resize('C:\xampp\htdocs\images_test\$file');

so that $file is parsed?

the whole script is as follows:

Code: [Select]
<?php
// *** Include Nathan's class
include("resize-class.php");

// Define the full path to your folder from root 
$path = 'C:\xampp\htdocs\images_test'; 

// Open the folder 
$dir_handle = @opendir($path) or die("Unable to open $path"); 

    // Loop through the files 
    while ($file = readdir($dir_handle)) { 

    if($file == "." || $file == ".." || $file == "index.php" ) 

        continue; 

// *** 1) Initialise / load image
$resizeObj = new resize('C:\xampp\htdocs\images_test\$file');
// *** 2) Resize image 
$resizeObj -> resizeImage(100, 100, 'auto');
// *** 3) Save image
$resizeObj -> saveImage('C:\xampp\htdocs\images_test\$file', 90);

        echo "<a href=\"$file\">$file</a><br />"; 
echo $path;

    } 
    // Close 
    closedir($dir_handle); 



?>

I've got this code and it works fine.  All I want to do is, when people click on the x to delete something they submitted erroneously, I want a confirmation...really want to delete this?  (sometimes that x is too tempting you know)

But I *think* I'm having trouble escaping the line (near bottom):  onsubmit='".return confirm('Really Delete');."'

I'm not sure if it will work anyhow...but right now it doesn't.

Thanks for any suggestions.

<code>
<?php

include '../php/config_conn.php';

$querysum = "SELECT SUM(total_time) FROM `coop_hours` where user = '".$_SESSION['user_name']."'";
$resultsum = mysql_query($querysum);
$arr = mysql_fetch_row($resultsum);
$resulthours = $arr[0];

$querytime = "SELECT * FROM `coop_hours` WHERE user = '".$_SESSION['user_name']."' ORDER BY `date_completed`";
$result = mysql_query($querytime);

$num = mysql_num_rows($result);

mysql_close();


echo "<table width='1000' cellpadding='0' cellspacing='0' border='0'><tr>
      <td width='200'><strong>Coop Job</strong></td>
      <td align=center width='200'><strong>Date Completed</strong></td>
      <td align=center width='120'><strong>Total Time</strong></td>
      <td width='380'><strong>Comments</strong></td>
      <td width='100'>Delete Entry</td></tr>";

$i=0;
while ($i < $num) {
   
$hours_id = mysql_result($result, $i, "hours_id");
$user = mysql_result($result, $i, "user");
$coop_job = mysql_result($result, $i, "coop_job");
$date_completed = mysql_result($result, $i, "date_completed");
$start_time = mysql_result($result, $i, "start_time");
$end_time = mysql_result($result, $i, "end_time");
$total_time = mysql_result($result, $i, "total_time");
$comments = mysql_result($result, $i, "comments");


echo "<tr><td>$coop_job</td>
   <td align=center>$date_completed</td>
   <td align=center>$total_time</td>
   <td>$comments</td>
   <td align=center valign='middle'>
   <form action='".php/del.php."' method='".post."' onsubmit='".return confirm('Really Delete');."'>
   <input type='".hidden."' name='".hours_id."' value='".$hours_id."'>
   <input TYPE='image' SRC='images/del.png' width='11' height='11' border='0' alt='Delete'>
   </form>
   </td>
   </tr>";

$i++;
}
echo "<tr><td colspan=5><hr></td></tr>";
echo "<tr><td></td><td align=right>Total hours:</td><td align=center>$resulthours</td><td></td></tr>";
echo "<table>";

?>
</code>

I've got a file with some strings that have both types of quotes in them.  And I seem to have managed to get the data, display it in my html, store it in a js array (using a json_encode in php and then simply inserting it into my js) but I cannot seem to pass the string as a parameter form an onclick function call to js.    For most strings the addslashes makes it work in the function call.  But for those with both sets of quotes it won't work.  My console tells me there are "unterminated string constants..".  I've experimented with many silly changes but none make it work.   Ex. of the strings:   What do you mean "It's crooked"?   Of course I could remove the contraction and that would probably work, but that would be a hack, would not it?

I am passing this value:

Quote

\\"''"""\""\\\\""""''''\"""\\\""''""""'/'/'/\"'\'\\'\\''\\'''''


the the following code is not handling it correctly:


$data = mysql_real_escape_string(strip_tags(htmlspecialchars($data)));


here is what it looks like when the server gets it:

Quote

\\"''"""\""\\\\""""''''\"""\\\""''""""'/'/'/\"'\'\\'\\''\\'''''



and here is after the code executes:

Quote

\\\\&quot;\'\'&quot;&quot;&quot;\\&quot;&quot;\\\\\\\\&quot;&quot;&quot;&quot;\'\'\'\'\\&quot;&quot;&quot;\\\\\\&quot;&quot;\'\'&quot;&quot;&quot;&quot;\'/\'/\'/\\&quot;\'\\\'\\\\\'\\\\\'\'\\\\\'\'\'\'\


Notice if I have

Quote

\'


it bugs out.

This should be really simple but I can't get my head round it.

Please see the PHP/HTML below.


<?php
$a = array(

'test' =>

"'data'"
);
$json = json_encode($a);
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Unknown Page</title>
<script type="text/javascript" src="http://ajax.microsoft.com/ajax/jquery/jquery-1.5.min.js"></script>
<script type="text/javascript">
var j = jQuery.parseJSON('<?php echo $json; ?>');
</script>
</head>
<body>
</body>
</html>


You will notice that data is stored by " then '
I have tried how it is and also with add slashes


$a = array(

'test' =>

addslashes("'data'")
);

It either outputs without slashes (which is clearly wrong)
Code: [Select]
var j = jQuery.parseJSON('{"test":"'data'"}');Or which I cant work out why dosent work
Code: [Select]
var j = jQuery.parseJSON('{"test":"\\'data\\'"}');
Now firebog throws the following error
Code: [Select]
missing ) after argument list
How should I be escaping this variable?

I am using PHP with ODBC to connect to an existing MSSQL database to query for some names.  When I query a name that has an apostrophe in it, I get an error.

Example typing O'Malley as the name:

Quote

Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'malley'., SQL state 37000 in SQLExecDirect



I have used addslashes to the string but get the same result:

Code: [Select]
$string = addslashes($_POST['string']);

$connect = odbc_connect("$mssql_name", "$mssql_user", "$mssql_pass");

$query_mssql = "SELECT pr.NameFirst, pr.NameLast, pr.NameMiddle, pr.Birthdate, p.Barcode, p.OrganizationID
FROM PatronRegistration pr
JOIN Patrons p ON (pr.PatronID = p.PatronID)
WHERE pr.NameLast = '$string'";

$result = odbc_exec($connect, $query_mssql);

Any ideas?

What is the correct way to echo this line???
Quote

<php?
echo "proceed to <a href= <?php echo urldecode($_GET['url']); ?>> <?php echo urldecode($_GET['title']); ?>   </a>";
?>


My Parse error says:
Quote

Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\Program Files\EasyPHP5.3.0\www\URL_tester\page2.php on line 16

I have a paragraph in a text in my data table column with apostrophes and heights, like, "He'll likely grow beyond 6'6"."

 

I've tried addslashes($update), but it's not working.  (At another time I thought I had something like that.)

Is there something that will take care of it short of typing \ before every instance I use quotes, the using stripslash?

This topic has been moved to PHP Regex.

http://www.phpfreaks.com/forums/index.php?topic=353729.0