son Posted September 25, 2012 Share Posted September 25, 2012 I run the following query before inserting javascript code into db from form field as: function escape_data ($data){// address magic quotes. if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } // check for mysql_real_escape_string() support if (function_exists('mysqli_real_escape_string')) { global $dbc; // need the connection $data = mysqli_real_escape_string ($dbc, trim($data)); } else { $data = mysqli_escape_string ($dbc, trim($data));} The double quotation marks are problematic. The insert statement does not work with them. Why is that? Does mysqli_real_escape_string not escape double quotation marks after all? Son Link to comment Share on other sites More sharing options...
justsomeguy Posted September 25, 2012 Share Posted September 25, 2012 The manual lists which characters it affects: http://php.net/manual/en/mysqli.real-escape-string.php Link to comment Share on other sites More sharing options...
son Posted October 16, 2012 Author Share Posted October 16, 2012 Thanks justsomeguy. Sorry to get back late on this. Wasn't well for some time and just now back on my computer... It confirms my assumption that single and double quotation marks are escaped. This is weird as it simply does not let enter data in db with double and single quotation marks. Also, I have to correct myself: actually the single quotation marks cause the issue. When I replace all single by double quotation marks query runs just fine (but obvioulsly is usely as a function). The actual code is (analytics): <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'GoogleUniqueNumber']); _gaq.push(['_setDomainName', 'domainName.co.uk']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();</script> Why else could there be an issue? I simply do not get it as single quotation marks are escaped and hence should be unproblematic|-) SonI Link to comment Share on other sites More sharing options...
justsomeguy Posted October 16, 2012 Share Posted October 16, 2012 I don't see any issues, if there's an error when you insert then check for the error message from MySQL to see what it thinks the problem is. Also print out the query you're sending to it. Link to comment Share on other sites More sharing options...
son Posted October 22, 2012 Author Share Posted October 22, 2012 Justsomeguy,I did dump the query and the analytics variable. The query is complete and runs fine, only that the value for analytics is empty. Also, when dumping the analytics variable it shows only string(517) "" without the value. The textarea is: <textarea id="analytics" name="analytics" rows="5" cols="60"></textarea> but var_dump($_POST['analytics']); show also only string(517) "" without the value. I am not getting this... Son Link to comment Share on other sites More sharing options...
thescientist Posted October 22, 2012 Share Posted October 22, 2012 (edited) view the source of your page. I bet you will see the "missing" code there. Also, where is the value of the textarea set? It doesn't look like you included it anywhere in your intended output. Edited October 22, 2012 by thescientist Link to comment Share on other sites More sharing options...
son Posted October 24, 2012 Author Share Posted October 24, 2012 Hi there,I did not put anything in between the <textarea /> tags for this demo, but there was obviously some code before I submit the form which then deletes the code. The relevant textarea field is empty afterwards... Son Link to comment Share on other sites More sharing options...
JamesB Posted October 24, 2012 Share Posted October 24, 2012 escape_data() isn't taking $data by reference Link to comment Share on other sites More sharing options...
justsomeguy Posted October 29, 2012 Share Posted October 29, 2012 If you're printing the value on the page you aren't going to see the <script> tags show up. Either view the source of the page like thescientist suggested or convert HTML characters to entities when you print it. It says it is a string with 517 characters in it, so it's not empty. Don't view debugging output in a browser where it's going to try to render HTML code, view it in the page source or log it to a text file or something. Link to comment Share on other sites More sharing options...
son Posted November 15, 2012 Author Share Posted November 15, 2012 Hi there,First of all my apologies for getting back so late... Due to a health condition I am sometimes not able to do any work and hence the long silence. I hope this is ok.Regarding issue I can see the data in error message. Trying just <"test" 'now'> as an example including single and double quotes I get the following: [_POST] => Array ([MAX_FILE_SIZE] => 2097152 [title] => name [desc] => [analytics] => <"test" 'now'> [submitted] => TRUE [submit] => Change ) and UPDATE tableDB SET webTitle = 'name', desc= '', analytics= '<"test" 'now'>' WHERE pid = 1 So, the single quote before now stop analytics which is not correct and causes the issue. However, I assumed that the escape_data() funtion that I use on any variable before submitting to the db would take care of this... In var_dump() of analytics I also can see that <"new" 'test'> is as it is without being escaped. Any ideas? Son Link to comment Share on other sites More sharing options...
justsomeguy Posted November 15, 2012 Share Posted November 15, 2012 The $escape_data function doesn't return any value and doesn't take the parameter by reference, so it's not going to update whatever variable you're passing to it. It's going to escape the value, but when the function ends that value goes away, you're not doing anything with it. Link to comment Share on other sites More sharing options...
son Posted November 19, 2012 Author Share Posted November 19, 2012 So, thinking about what you are saying does this mean that I would need to manually replace any single quotation marks before assigning it to variable to avoid the issue and then bring them back before displaying content on web page? For example use htmlentities($analytics, ENT_QUOTES); before sending data to database and html_entity_decode ($analytics, ENT_QUOTES); to display in head of web page? Or is there a different, better method to deal with that sort of thing? Thanks,Son Link to comment Share on other sites More sharing options...
justsomeguy Posted November 19, 2012 Share Posted November 19, 2012 How about just having escape_data return the value so that you can use it in a query? A function that takes input but doesn't give any output isn't very useful. Link to comment Share on other sites More sharing options...
son Posted November 23, 2012 Author Share Posted November 23, 2012 What you said totally confused me first as I thought to myself "This is what I thought I did. What can he mean?", but then looking at the relevant code again I could not believe that all this time I had not noticed that there is actually a spelling mistake in my variable name (see below): if (!isset($_POST['analytics']) OR empty($_POST['analytics'])) { $analyticsUpd = ''; } else { $analyticsUpd = $_POST['analytics']; $analyticUpd = escape_data($analyticsUpd); Correcting this solved the issue. I think that I am unwell so often seems to really affect my brains considerably|-) Thanks for your patience:-) Son Link to comment Share on other sites More sharing options...
justsomeguy Posted November 26, 2012 Share Posted November 26, 2012 Your function doesn't return data. Look at the code for it: function escape_data ($data){// address magic quotes. if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } // check for mysql_real_escape_string() support if (function_exists('mysqli_real_escape_string')) { global $dbc; // need the connection $data = mysqli_real_escape_string ($dbc, trim($data)); } else { $data = mysqli_escape_string ($dbc, trim($data));} If we take that line-by-line, the first you're checking if magic_quotes_gpc is enabled. If it is, then you strip slashes from the value that was passed to the function. Then, you check to see if mysqli_real_escape_string exists and use that on the data, or else you use mysqli_escape_string on the data. Then.... you don't do anything. You don't send the changed data back to wherever you called the escape_data function from. The function just ends, and the changed data is removed from memory. The original data you started with is unchanged because the function doesn't return anything. You use a return statement in the function to return data back to the code that called the function. It also looks like there is a syntax error, the brackets aren't matched up. The way you wrote that it looks like the last else has an open bracket, but the closing bracket closes the function. You have 4 open brackets and 3 closing ones. Link to comment Share on other sites More sharing options...
son Posted December 4, 2012 Author Share Posted December 4, 2012 I can see that the function itself does not return any data, but when I use$analyticUpd = escape_data($analyticsUpd);I apply the function to the data gathered from the form and then store this in $analyticUpd. I thought this then means that I "return" the value?Thanks,Son Link to comment Share on other sites More sharing options...
justsomeguy Posted December 4, 2012 Share Posted December 4, 2012 The function actually needs a return statement. You're not telling the function which value to return, it doesn't automatically assume that you want to return the same variable you passed in. It could return anything, you need to tell it which value you want to return. Link to comment Share on other sites More sharing options...
thescientist Posted December 4, 2012 Share Posted December 4, 2012 http://www.w3schools.com/php/php_functions.asp (specifically example 3)http://php.net/manual/en/function.return.php Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now