SitePoint Sponsor

User Tag List

Results 1 to 9 of 9

Thread: MySQL strings suddenly being stored with escape slashes

  1. Oct 28, 2009 06:20 #1
    Morthian
    Morthian is offline
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy MySQL strings suddenly being stored with escape slashes

    I can't seem to figure out why, but suddenly MySQL strings are being stored with their 'escape' backslashes. My scripting language is PHP, and yes, magic_quotes are turned off.

    My scripts, which use the 'mysql_real_escape_string' function, are not working as they should.
    'mysql_real_escape_string("can't")' is now suddenly stored in the database as "can\'t".

    Does anyone know why this might have suddenly started happening... or, more importantly... does anyone have any ideas on how to fix it?
    `
    Alternative networking ~
    Free artwork, games, music, literature, videos, and advertising.
  2. Oct 28, 2009 06:26 #2
    Dan Grossman
    Dan Grossman is offline
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You're double escaping the strings at some point, that's the only way it would happen. You need to look through your code -- everything that happens to the user input between the start of execution and executing the query.
    17-29% of paid ad clicks are fraudulent. Get protected with Improvely, your online marketing dashboard.
    Conversion tracking, click fraud detection, A/B testing and more.
  3. Oct 28, 2009 06:33 #3
    Morthian
    Morthian is offline
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    You're double escaping the strings at some point, that's the only way it would happen. You need to look through your code -- everything that happens to the user input between the start of execution and executing the query.
    This just suddenly started happening out of the blue.

    Inserting something as simple as:
    PHP Code:
    mysql_real_escape_string("abc'd"); 
    ...will result in a backslash before the quote.

    Are there any MySQL settings I should check?
    `
    Alternative networking ~
    Free artwork, games, music, literature, videos, and advertising.
  4. Oct 28, 2009 06:36 #4
    Dan Grossman
    Dan Grossman is offline
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Did you actually insert that example into the database, or just look at it in PHP? It should have the backslash in PHP, but not in the database.
    17-29% of paid ad clicks are fraudulent. Get protected with Improvely, your online marketing dashboard.
    Conversion tracking, click fraud detection, A/B testing and more.
  5. Oct 28, 2009 06:38 #5
    Morthian
    Morthian is offline
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    Did you actually insert that example into the database, or just look at it in PHP? It should have the backslash in PHP, but not in the database.
    There are backslashes in the actual database. =/
    `
    Alternative networking ~
    Free artwork, games, music, literature, videos, and advertising.
  6. Oct 28, 2009 06:42 #6
    Dan Grossman
    Dan Grossman is offline
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You deflected: Did you insert that example into the database and look? I know there are backslashes from your real code already
    17-29% of paid ad clicks are fraudulent. Get protected with Improvely, your online marketing dashboard.
    Conversion tracking, click fraud detection, A/B testing and more.
  7. Oct 28, 2009 07:32 #7
    Morthian
    Morthian is offline
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think the problem only happens when scripts specifically in my main script folder send POST data to the database. Scripts from the root folder don't seem to have the problem. There is no INI file in the scripts folder.
    `
    Alternative networking ~
    Free artwork, games, music, literature, videos, and advertising.
  8. Oct 29, 2009 21:44 #8
    Morthian
    Morthian is offline
    SitePoint Addict
    Join Date
    Jan 2008
    Location
    Palm Harbor, FL
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well apparently copying the php.ini file from the root folder to the scripts folder seemed to do the trick. I thought a php.ini file applies to all subdirectories with no ini files of their own; ...guess I was wrong.
    `
    Alternative networking ~
    Free artwork, games, music, literature, videos, and advertising.
  9. Oct 30, 2009 02:02 #9
    PHPycho
    PHPycho is offline
    SitePoint Wizard PHPycho's Avatar
    Join Date
    Dec 2005
    Posts
    1,200
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would prefer passing the values to be inserted, updated and selected in where condition in a wrapper functions and using auto escaping there.
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules