Manny Posted February 18, 2010 Share Posted February 18, 2010 I have a search form on my website but having a big problem with it.The form works fine if the data submitted to it doesn't have ' or " in it. But if it does, even with the use of stripslashes, it is still bringing back a result with a trailing \.The data passed from the variable then makes use of the mysql_real_escape_string function to search the database, which is doubling the trailing \'s.Here is the stripslashes code I am using: $searchRequest = stripslashes($_GET['s']); Using the search term "Joey O'Brien", the result of that would be Joey O\'Brien. Then, using the mysql_real_escape_string function, it displays "Joey O\\'Brien". I tried it without stripslashes and my results were "Joey O\\'Brien" and "Joey O\\\\'Brien".I've used stripslashes plenty of times in the past, but I don't understand why the number of preceeding \'s aren't what I expect and don't know how to get rid of them. Link to comment Share on other sites More sharing options...
justsomeguy Posted February 19, 2010 Share Posted February 19, 2010 It would be better to figure out why the slashes are being doubled and stop it from happening (server settings possibly), but if it's going to double the slashes then you can always use stripslashes twice. Link to comment Share on other sites More sharing options...
Manny Posted February 19, 2010 Author Share Posted February 19, 2010 Had already tried using stripslashes twice, it works but then when it is needed for the mysql_real_escape_string function, where a single slash needs to be, it doesn't work.It's baffled me a little bit. Link to comment Share on other sites More sharing options...
Ingolme Posted February 19, 2010 Share Posted February 19, 2010 Your server might have Magic Quotes activated. This feature automatically escapes quotes from user input. So you have to use stripslashes() on the string right when you receive it from POST or GET Link to comment Share on other sites More sharing options...
Manny Posted February 19, 2010 Author Share Posted February 19, 2010 I'll post some code so maybe someone can see where I'm going wrong.Here is the Magic Quotes section of the PHP.ini file: ; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = Off; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \').magic_quotes_sybase = Off magic_quotes_gpc had been "On", but after turned "Off" still gives the same problem.Like I said, the example I used was the term "Joey O'Brien". After using stripslashes, still returns "Joey O\'Brien". I can use stripslashes twice, but then when it comes to mysql_real_escape_string, the slash doesn't go back in meaning the query doesn't execute.Here is the PHP file that gathers the information from the "s" variable at the end of the URL. It stores it in the $searchRequest variable and loads data from the "searchresults.php" file. <?//Create variable for the search term$searchRequest = stripslashes($_GET['s']);//If no search term is present, load the index pageif (!isset($_GET['s'])) { header("Location: " . $siteURL . ""); }else {$pageName = "Search Results: " . $searchRequest . "";require(searchresults.php);}?> searchresults.phpI believe the problems to be in sections 2 and 8 (ie The queries). <? //Pagination//1. Get current page number. Set to 1 if value is not present if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = 1; }//2. Identify how many rows are selected$query = " SELECT COUNT(*) FROM `news_archive` WHERE `Keywords` LIKE CONVERT( _utf8 '%" . mysql_real_escape_string($searchRequest) . "%' USING latin1 ) COLLATE latin1_swedish_ci";$result = mysql_query($query, $connection) or trigger_error("SQL", E_USER_ERROR);$query_data = mysql_fetch_row($result);$numrows = $query_data[0];//3. Calculate the number of $lastpage//This code uses the values in $rows_per_page and $numrows in order to identify the number of the last page.$rows_per_page = 11;$lastpage = ceil($numrows/$rows_per_page);//4. Ensure that $pageno is within range//This code checks that the value of $pageno is an integer between 1 and $lastpage$page = (int)$page;if ($page > $lastpage) { $page = $lastpage; }if ($page < 1) { $page = 1; }//5. Construct LIMIT clause$limit = 'LIMIT ' .($page - 1) * $rows_per_page .',' .$rows_per_page;//6. Paginationif(($numrows > $rows_per_page) && $searchRequest != '') {echo ' <div class="titlestrip_sub_paging"> ';if (($page != 1) && ($numrows > $rows_per_page)) { $prevpage = $page-1;echo ' <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=1">FIRST</a> <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $prevpage, '">PREV</a>';}//Next we inform the user of his current position in the sequence of available pages.if ($numrows > $rows_per_page) { echo ' ( Page ', $page, ' of ', $lastpage, ' )';}//This code will provide the links for any following pages.if (($page != $lastpage) && ($numrows > $rows_per_page)) { $nextpage = $page+1;echo ' <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $nextpage, '">NEXT</a> <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $lastpage, '">LAST</a>';}echo ' </div>';}//7. If there are no returns from the search, display a message to notify the userif(($numrows == '0') || ($searchRequest == '')) { echo ' <p id="newsbody"> Your search - <b>', $searchRequest, '</b> - did not return any results.<br /> <br /> Suggestions:<br /> • Make sure all words are spelled correctly.<br /> • Try different keywords. </p>';}if($searchRequest != ''){//8. Issue the database query$sqlstatement = "SELECT `ID`, `Title`, `Story` FROM `news_archive` WHERE `Keywords` LIKE CONVERT( _utf8 '%" . mysql_real_escape_string($searchRequest) . "%' USING latin1 ) COLLATE latin1_swedish_ci ORDER BY `ID` DESC $limit";$sql_result = mysql_query($sqlstatement,$connection) or die("<p>Content could not be displayed.</p>");echo $sqlstatement;//Open loop and define variableswhile ($row = mysql_fetch_array($sql_result)){$fulldescription = explode("<br />",$row["Story"]);$length = (strlen($fulldescription[0]));$lengthlimit = "150";$description = substr($fulldescription[0], 0, $lengthlimit);//9. Display the news archiveecho ' <div class="archiveitem"> <a href="', $siteURL, '/news/?id=', $row["ID"], '">', $row["Title"], '</a> <p>', $description, ''; if ($length > $lengthlimit) { echo '... <a href="', $siteURL, '/news/?id=', $row["ID"], '">More >></a>'; } echo '</p> </div>';}}//10. Paginationif(($numrows > $rows_per_page) && $searchRequest != '') {echo ' <div class="titlestrip_sub_paging"> ';if (($page != 1) && ($numrows > $rows_per_page)) { $prevpage = $page-1;echo ' <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=1">FIRST</a> <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $prevpage, '">PREV</a>';}//Next we inform the user of his current position in the sequence of available pages.if ($numrows > $rows_per_page) { echo ' ( Page ', $page, ' of ', $lastpage, ' )';}//This code will provide the links for any following pages.if (($page != $lastpage) && ($numrows > $rows_per_page)) { $nextpage = $page+1;echo ' <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $nextpage, '">NEXT</a> <a href="' . $_SERVER["PHP_SELF"] . '?s=', $searchRequest, '&page=', $lastpage, '">LAST</a>';}echo ' </div>';} Link to comment Share on other sites More sharing options...
Manny Posted February 19, 2010 Author Share Posted February 19, 2010 I've found the problem, but still not managed to solve it yet.At the start of my scripts I include a SMF.ssi file for integration with my SMF forum. I took this out and the form works as it should have done at the beginning. Problem is, I need the SMF file in my script. I've searched the web and not found an answer so I guess the best bet would be to pay SMF a visit. Link to comment Share on other sites More sharing options...
justsomeguy Posted February 19, 2010 Share Posted February 19, 2010 SMF is just escaping everything itself. So, if you use that file then you'll need to strip it yourself also. Using mysql_real_escape_string should never be a problem, it should always add slashes before any necessary characters, regardless of whether or not they've been escaped or stripped or whatever. Link to comment Share on other sites More sharing options...
Manny Posted February 19, 2010 Author Share Posted February 19, 2010 How do you mean?I've not edited the smf.ssi file in anyway, I call it like this: require("/Path/To/File/SSI.php"); Then, as shown in my first post: $searchRequest = stripslashes($_GET['s']); So we're guessing SMF is causing the \' to still be there even after the stripslashes line. What should I be changing? If possible I want to try and avoid editing the SMF file. Link to comment Share on other sites More sharing options...
justsomeguy Posted February 23, 2010 Share Posted February 23, 2010 If you do not use SMF, then you can call stripslashes once. If you do use SMF, then you should call stripslashes twice. If the SMF file isn't going to bother to check if it needs to add slashes, then you need to remove them. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.