Insert javascript code with single and double quotations

[son]

I run the following query before inserting javascript code into db from form field as:

function escape_data ($data){// address magic quotes.  if (ini_get('magic_quotes_gpc'))  {  $data = stripslashes($data);  }  // check for mysql_real_escape_string() support  if (function_exists('mysqli_real_escape_string'))  {  global $dbc; // need the connection  $data = mysqli_real_escape_string ($dbc, trim($data));  }  else  {  $data = mysqli_escape_string ($dbc, trim($data));}

The double quotation marks are problematic. The insert statement does not work with them. Why is that? Does mysqli_real_escape_string not escape double quotation marks after all? Son

[justsomeguy]

The manual lists which characters it affects: http://php.net/manual/en/mysqli.real-escape-string.php

[son]

Thanks justsomeguy. Sorry to get back late on this. Wasn't well for some time and just now back on my computer... It confirms my assumption that single and double quotation marks are escaped. This is weird as it simply does not let enter data in db with double and single quotation marks. Also, I have to correct myself: actually the single quotation marks cause the issue. When I replace all single by double quotation marks query runs just fine (but obvioulsly is usely as a function). The actual code is (analytics):

<script type="text/javascript">  var _gaq = _gaq || [];  _gaq.push(['_setAccount', 'GoogleUniqueNumber']);  _gaq.push(['_setDomainName', 'domainName.co.uk']);  _gaq.push(['_trackPageview']);  (function() {    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);  })();</script>

Why else could there be an issue? I simply do not get it as single quotation marks are escaped and hence should be unproblematic|-) SonI

[justsomeguy]

I don't see any issues, if there's an error when you insert then check for the error message from MySQL to see what it thinks the problem is. Also print out the query you're sending to it.

[son]

Justsomeguy,I did dump the query and the analytics variable. The query is complete and runs fine, only that the value for analytics is empty. Also, when dumping the analytics variable it shows only string(517) "" without the value. The textarea is:

<textarea id="analytics" name="analytics" rows="5" cols="60"></textarea>

but

var_dump($_POST['analytics']);

show also only string(517) "" without the value. I am not getting this... Son

[thescientist]

view the source of your page. I bet you will see the "missing" code there. Also, where is the value of the textarea set? It doesn't look like you included it anywhere in your intended output.

Edited October 22, 2012 by thescientist

[son]

Hi there,I did not put anything in between the <textarea /> tags for this demo, but there was obviously some code before I submit the form which then deletes the code. The relevant textarea field is empty afterwards... Son

[JamesB]

escape_data() isn't taking $data by reference

[justsomeguy]

If you're printing the value on the page you aren't going to see the <script> tags show up. Either view the source of the page like thescientist suggested or convert HTML characters to entities when you print it. It says it is a string with 517 characters in it, so it's not empty. Don't view debugging output in a browser where it's going to try to render HTML code, view it in the page source or log it to a text file or something.

[son]

Hi there,First of all my apologies for getting back so late... Due to a health condition I am sometimes not able to do any work and hence the long silence. I hope this is ok.Regarding issue I can see the data in error message. Trying just <"test" 'now'> as an example including single and double quotes I get the following:

[_POST] => Array  ([MAX_FILE_SIZE] => 2097152		    [title] => name		    [desc] =>		    [analytics] => <"test" 'now'>		    [submitted] => TRUE		    [submit] => Change	    )

and

UPDATE tableDB SET webTitle = 'name', desc= '', analytics= '<"test" 'now'>' WHERE pid = 1

So, the single quote before now stop analytics which is not correct and causes the issue. However, I assumed that the escape_data() funtion that I use on any variable before submitting to the db would take care of this... In var_dump() of analytics I also can see that <"new" 'test'> is as it is without being escaped. Any ideas? Son

[justsomeguy]

The $escape_data function doesn't return any value and doesn't take the parameter by reference, so it's not going to update whatever variable you're passing to it. It's going to escape the value, but when the function ends that value goes away, you're not doing anything with it.

[son]

So, thinking about what you are saying does this mean that I would need to manually replace any single quotation marks before assigning it to variable to avoid the issue and then bring them back before displaying content on web page? For example use

htmlentities($analytics, ENT_QUOTES);

before sending data to database and

html_entity_decode ($analytics, ENT_QUOTES);

to display in head of web page? Or is there a different, better method to deal with that sort of thing? Thanks,Son

[justsomeguy]

How about just having escape_data return the value so that you can use it in a query? A function that takes input but doesn't give any output isn't very useful.

[son]

What you said totally confused me first as I thought to myself "This is what I thought I did. What can he mean?", but then looking at the relevant code again I could not believe that all this time I had not noticed that there is actually a spelling mistake in my variable name (see below):

if (!isset($_POST['analytics']) OR empty($_POST['analytics']))  {  $analyticsUpd = '';  }  else  {  $analyticsUpd = $_POST['analytics'];  $analyticUpd = escape_data($analyticsUpd);

Correcting this solved the issue. I think that I am unwell so often seems to really affect my brains considerably|-) Thanks for your patience:-) Son

[justsomeguy]

Your function doesn't return data. Look at the code for it:

function escape_data ($data){// address magic quotes.  if (ini_get('magic_quotes_gpc'))  {  $data = stripslashes($data);  }  // check for mysql_real_escape_string() support  if (function_exists('mysqli_real_escape_string'))  {  global $dbc; // need the connection  $data = mysqli_real_escape_string ($dbc, trim($data));  }  else  {  $data = mysqli_escape_string ($dbc, trim($data));}

If we take that line-by-line, the first you're checking if magic_quotes_gpc is enabled. If it is, then you strip slashes from the value that was passed to the function. Then, you check to see if mysqli_real_escape_string exists and use that on the data, or else you use mysqli_escape_string on the data. Then.... you don't do anything. You don't send the changed data back to wherever you called the escape_data function from. The function just ends, and the changed data is removed from memory. The original data you started with is unchanged because the function doesn't return anything. You use a return statement in the function to return data back to the code that called the function. It also looks like there is a syntax error, the brackets aren't matched up. The way you wrote that it looks like the last else has an open bracket, but the closing bracket closes the function. You have 4 open brackets and 3 closing ones.

[son]

I can see that the function itself does not return any data, but when I use$analyticUpd = escape_data($analyticsUpd);I apply the function to the data gathered from the form and then store this in $analyticUpd. I thought this then means that I "return" the value?Thanks,Son

[justsomeguy]

The function actually needs a return statement. You're not telling the function which value to return, it doesn't automatically assume that you want to return the same variable you passed in. It could return anything, you need to tell it which value you want to return.

[thescientist]

http://www.w3schools.com/php/php_functions.asp (specifically example 3)http://php.net/manual/en/function.return.php