NYCPHP Meetup

NYPHP.org

[nycphp-talk] un-escape db content using php or ADOdb functions

Eugenio Tacchini eugenio.tacchini at gmail.com
Wed May 2 13:08:53 EDT 2012


2012/5/2 Federico Ulfo <rainelemental at gmail.com>:
> The article you mentioned is from April 2004, so I could not rely on that.
>
> Starting from PHP 5.4 magic_quotes_gpc has been removed
> http://php.net/releases/5_4_0.php
>
> Also since PHP 5, the best way to go is to use PDO prepared statements,
> which avoid any double escaping and allows you to connect to different
> database, so you don't really need anymore Adodb.

Hi Federico and thanks for your reply.
I know that magic_quotes_gpc has been removed but I bet that most of
the PHP installations use PHP < 5.4. As far as PDO is concerned, yes,
I'm using PDO as well.

> If your database has escaped contents, you can either run a REPLACE query
> (to solve definitely the problem on the database) or as you well said use
> stripslashes, or a custom function, it depends what you escaped!

No the database has not any escaped contents, the problem is an
application, which, instead of escaping just the content that needed
to be used in a query it:
- escaped everything from GPC, using addslashes
- unescaped content coming from GPC when the content itself needs to
be just displayed, using stripslashes
It worked pretty good but I then switched from addslashes to db
specific functions (namely adodb qstr and PDO quote), the problem is
that stripslashes of course doesn't work anymore and I don't find a
general approach for unescaping (I read the comment on
http://php.net/manual/en/function.mysql-real-escape-string.php but it
seems more a hack than a general solution).

Now, I'm wondering if the DB specific escape functions really give
additional values respect to addslashes. This is what you can read on
the PHP Web site but if you read here:

http://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html
"Characters encoded are “\”, “'”, “"”, NUL (ASCII 0), “\n”, “\r”, and
Control+Z. Strictly speaking, MySQL requires only that backslash and
the quote character used to quote the string in the query be escaped.
mysql_real_escape_string() quotes the other characters to make them
easier to read in log files."

it seems that, if we are talking about queris execution, just  \ and '
needs to be escaped.

What do you think about?

------------------
Eugenio Tacchini
dadabik.org DaDaBIK database front-end



More information about the talk mailing list