Editing a string to add a \ before a '

Re: Editing a string to add a \ before a '

monomaniac21 wrote:[color=blue]
> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db and i was wondering if there
> is function which can do this to any ' which DO NOT already have one
> before them, this is so i can keep editing my text without all these \
> building up.
>
> Kind regards
>
> Marc
>[/color]
see addslashes()

-david-

Re: Editing a string to add a \ before a '

you also might want to try str_replace("'" , "\\'", $string);

Re: Editing a string to add a \ before a '

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

monomaniac21 wrote:
[color=blue]
> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db[/color]

Use mysql_escape_st ring().

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5NFj3jc Q2mg3Pc8RAl4VAJ 9rlqun4z2P9Tjfv BJadvNvDyLdbQCf Qb2E
s9+gsTKP7sP1FwB L6J80k/Q=
=D5YK
-----END PGP SIGNATURE-----

Re: Editing a string to add a \ before a '

monomaniac21 wrote:[color=blue]
> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db and i was wondering if there
> is function which can do this to any ' which DO NOT already have one
> before them, this is so i can keep editing my text without all these \
> building up.
>
> Kind regards
>
> Marc
>[/color]

I just include it in the insert statement since you must know the
datatype at insert time

$sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";

Michael Austin
DBA.

Re: Editing a string to add a \ before a '

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

noone wrote:
[color=blue]
> $sqli = "insert into tableA values ";
> $sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";[/color]

PHP security 101: never ever put values posted by a user directly into a DB
query, without checking them, escaping them, and treating them as nuclear
waste.

The above is a very clear example of a SQL injection vulnerability.

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net


Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
5.1.2-1 generating this signature.
Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5P3u3jc Q2mg3Pc8RApygAJ sGphJajK7EBcNSs 3mgvb6LJ2oEigCf c4Md
8oq3CdWHeuGdAbz mVKbqEtY=
=3ktL
-----END PGP SIGNATURE-----

Re: Editing a string to add a \ before a '

Iván Sánchez Ortega wrote:[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>
>[color=green]
>>$sqli = "insert into tableA values ";
>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";[/color]
>
>
> PHP security 101: never ever put values posted by a user directly into a DB
> query, without checking them, escaping them, and treating them as nuclear
> waste.
>
> The above is a very clear example of a SQL injection vulnerability.
>
> - --[/color]

goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".

You also want to use a platform that is nearly impossible to crack. My
choice is OpenVMS from HP - formerly Compaq - formerly Digital Equipment
Corp (aka DEC).

more scalable and has REAL clusters - not these pretend clusters like
Veritas and Microsoft (bbbbarrfff).

I also prefer Apache/Oracle Rdb - formerly DEC/Rdb and not to be
confused with Oracle RDBMS (8/9/10g) and PHP.

M.
[color=blue]
> - ----------------------------------
> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> http://acm.asoc.fi.upm.es/~mr/
> Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
> 5.1.2-1 generating this signature.
> Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5P3u3jc Q2mg3Pc8RApygAJ sGphJajK7EBcNSs 3mgvb6LJ2oEigCf c4Md
> 8oq3CdWHeuGdAbz mVKbqEtY=
> =3ktL
> -----END PGP SIGNATURE--[/color]

Re: Editing a string to add a \ before a '

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

noone wrote:
[color=blue][color=green][color=darkred]
>>>$sqli = "insert into tableA values ";
>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";[/color][/color]
>
> goes without saying... merely a test example of how to enclose the
> varchar data with single-quote "'".[/color]

That's an example of a SQL injection, you should know that, and you should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.

This is how it should be done:

<?php
$varchar = mysql_real_esca pe_string($_POS T['varchar']);
$integer = (int) $_POST['integer'];
$sqli = "insert into tableA values ('$varchar',$in teger)";
?>

I will reiterate myself. Never ever trust *any* data entered by *any* user.
[color=blue]
> You also want to use a platform that is nearly impossible to crack.[/color]

Why should I matter about the platform, if anybody can inject SQL??

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Realidómetro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5V+t3jc Q2mg3Pc8RAhhBAJ 47q4fcUY82N6Fz9 iigEJqaaQHNiACf VVHo
bKJv8KIXNnXuTjq v3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----

Re: Editing a string to add a \ before a '

On 2006-02-04, mjs7231 <mjs7231@gmail. com> wrote:[color=blue]
> you also might want to try str_replace("'" , "\\'", $string);[/color]


$string="don\\' t do that.";



Bye.
Jasen

Re: Editing a string to add a \ before a '

On 2006-02-04, David Haynes <david.haynes2@ sympatico.ca> wrote:[color=blue]
> monomaniac21 wrote:[color=green]
>> Is there a function that allows you to add a \ before a ' in a string.
>> This is needed to store text in a mysql db and i was wondering if there
>> is function which can do this to any ' which DO NOT already have one
>> before them, this is so i can keep editing my text without all these \
>> building up.
>>
>> Kind regards
>>
>> Marc
>>[/color]
> see addslashes()
>[/color]
and stripslashes()

Bye.
Jasen

Re: Editing a string to add a \ before a '


"Iván Sánchez Ortega" <i.punto.sanche z--@rroba--mirame.punto.ne t> wrote in
message news:hn3gb3-npg.ln1@blacksp ark.escomposlin ux.org...[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>[color=green][color=darkred]
>>>>$sqli = "insert into tableA values ";
>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";[/color]
>>
>> goes without saying... merely a test example of how to enclose the
>> varchar data with single-quote "'".[/color]
>
> That's an example of a SQL injection, you should know that, and you should
> teach newbies to use RDBMS-specific techniques of escaping alphanumeric
> data prior to its usage in any SQL statement instead of posting such an
> example.
>
> This is how it should be done:
>[/color]

how about one line with a little more security:

<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";" ,"",mysql_real_ escape_string($ _POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>

[color=blue]
>
> I will reiterate myself. Never ever trust *any* data entered by *any*
> user.
>[color=green]
>> You also want to use a platform that is nearly impossible to crack.[/color]
>
> Why should I matter about the platform, if anybody can inject SQL??
>
> - --
> - ----------------------------------
> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> Realidómetro: [\.......] Hmmm! No debe de funcionar.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5V+t3jc Q2mg3Pc8RAhhBAJ 47q4fcUY82N6Fz9 iigEJqaaQHNiACf VVHo
> bKJv8KIXNnXuTjq v3sXXTCc=
> =lFc5
> -----END PGP SIGNATURE-----[/color]

Re: Editing a string to add a \ before a '


"Jim Michaels" <jmichae3@nospa m.yahoo.com> wrote in message
news:I66dnW_XP7 dWPHTenZ2dnUVZ_ t-dnZ2d@comcast.c om...[color=blue]
>
> "Iván Sánchez Ortega" <i.punto.sanche z--@rroba--mirame.punto.ne t> wrote in
> message news:hn3gb3-npg.ln1@blacksp ark.escomposlin ux.org...[color=green]
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> noone wrote:
>>[color=darkred]
>>>>>$sqli = "insert into tableA values ";
>>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>>>
>>> goes without saying... merely a test example of how to enclose the
>>> varchar data with single-quote "'".[/color]
>>
>> That's an example of a SQL injection, you should know that, and you
>> should
>> teach newbies to use RDBMS-specific techniques of escaping alphanumeric
>> data prior to its usage in any SQL statement instead of posting such an
>> example.
>>
>> This is how it should be done:
>>[/color]
>
> how about one line with a little more security:
>[/color]
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
str_replace(";" ,"",mysql_real_ escape_string($ _POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>

OOPS! got the functions order-swapped. should strip semicolons out first.
otherwise, generated html named entities will be all messed up.
it would be even better to do a preg_match("/;/",$_POST'varcha r']) to search
for injection attempts and lockout the user.
<?php
$sqli = "INSERT INTO tableA VALUES ('" .
mysql_real_esca pe_string(str_r eplace(";","",$ _POST['varchar'])) . "'," .
intval($_POST['integer']) . ")";
?>

[color=blue]
>
>[color=green]
>>
>> I will reiterate myself. Never ever trust *any* data entered by *any*
>> user.
>>[color=darkred]
>>> You also want to use a platform that is nearly impossible to crack.[/color]
>>
>> Why should I matter about the platform, if anybody can inject SQL??
>>
>> - --
>> - ----------------------------------
>> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>>
>> Realidómetro: [\.......] Hmmm! No debe de funcionar.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (GNU/Linux)
>>
>> iD8DBQFD5V+t3jc Q2mg3Pc8RAhhBAJ 47q4fcUY82N6Fz9 iigEJqaaQHNiACf VVHo
>> bKJv8KIXNnXuTjq v3sXXTCc=
>> =lFc5
>> -----END PGP SIGNATURE-----[/color]
>
>[/color]

Re: Editing a string to add a \ before a '

On Tue, 7 Feb 2006 23:46:17 -0800, "Jim Michaels" <jmichae3@nospa m.yahoo.com>
wrote:
[color=blue]
>how about one line with a little more security:
>
> <?php
>$sqli = "INSERT INTO tableA VALUES ('" .
>str_replace("; ","",mysql_real _escape_string( $_POST['varchar'])) . "'," .
>intval($_POS T['integer']) . ")";
>?>[/color]

If you're escaping the value correctly with mysql_real_esca pe_string and have
enclosed that in single quotes, there's no need to remove semicolons. All
you're doing is corrupting data; you're not adding any more security.

--
Andy Hassall :: andy@andyh.co.u k :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

Re: Editing a string to add a \ before a '

> Jim Michaels wrote:[color=blue]
> "Jim Michaels" <jmichae3@nospa m.yahoo.com> wrote in message
> news:I66dnW_XP7 dWPHTenZ2dnUVZ_ t-dnZ2d@comcast.c om...
>
> OOPS! got the functions order-swapped. should strip semicolons out first.
> otherwise, generated html named entities will be all messed up.
> it would be even better to do a preg_match("/;/",$_POST'varcha r']) to search
> for injection attempts and lockout the user.
> <?php
> $sqli = "INSERT INTO tableA VALUES ('" .
> mysql_real_esca pe_string(str_r eplace(";","",$ _POST['varchar'])) . "'," .
> intval($_POST['integer']) . ")";
> ?>[/color]

Wow, as a PostgreSQL/PHP programmer I can honestly say that I am
shocked at some of the responses on this thread. Especially from
'noone'. But honestly, some of you guys know just enough to be
dangerous and not much else. Be careful around big red buttons ok?

-Robert