problem passing quote and double quote in IE7 pages

Re: problem passing quote and double quote in IE7 pages

Joseph Stateson escribió:These are the infamous "magic quotes":



To sum up: disable them. Set magic_quotes_gp c to off in your php.ini file.

By the way... They've been disabled by default for several years now so
it's likely that you have some other discouraged settings in your PHP
config. Check, for instance, register_global s:


This is an interesting architecture. So users can remotely query any
random data they want? Can they also run inserts and deletes?

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

Re: problem passing quote and double quote in IE7 pages

myserver/mysite/cpustats.php?sq lCMD=SELECT * FROM cpuinfo where
Description like "%xcell%" or Description like "%q6600%"


There's a lot wrong with that. Before adding the querystring to the URL
it will have to be encoded

It should be something like:
myserver/mysite/cpustats.php?sq lCMD=SELECT%20* %20FROM%20cpuin fo%20where%20De scription%20lik e%20%22%25xcell %25%22%20or%20D escription%20li ke%20%22%25q660 0%25%22

Notice that all spaces have been changed to %20, all quotes to %22, and
all % to %25. As an alternative, the spaces could be changed to +
instead of %20.

The page cpustats.php will have to change these entities back before
processing the SQL.

In asp the encoding is done using Server.URLEncod e(stringToEncod e). I
don't know the method for PHP.

Note that % is a reserved character in a URL, which is why it has to be
changed, and some browsers stop reading querystrings at the first space.

--
Ron Symonds - Microsoft MVP (Expression)
Reply only to group - emails will be deleted unread.






"Joseph Stateson" <josephstateson @att.netwrote in message
news:fVtSk.6847 $c45.4588@nlpi0 65.nbdc.sbc.com :

Re: problem passing quote and double quote in IE7 pages

giving up the right to remain silent
""Álvaro G. Vicario"" <alvaroNOSPAMTH ANKS@demogracia .comwrote in message
news:gfe3oq$qtf $1@huron.algoma s.org...thanks Álvaro I would not have known to google magic quotes. I did get as
far as "extra quote php" before giving up.
I hunted, but never found that php.ini file. I am a home yahoo'er and have
yahoo web space and yahoo.com provides MySql and shows database examples
only in perl and php. They do not do aspx or I would be using that. If I
have a php.ini file somewhere I cannot find php.ini in my home pages but I
might have missed it as I was using ftp to browse the directories. I
downloaded odbc drivers for FP2003 but they will not connect to yahoo's
server so that is how I got into php. I suspect their server has the
php.ini file and I do not have access to it.

I followed yahoo's instructions and created their MySql database at
http://swri.info/gpustats I had been hoping that microsoft would buy yahoo
and fix some other problems and magic_quotes is one more they could fix. I
had a hunch something was wrong when a newbie like me found an error in
yahoo's one and only sample perl script at

eg:, the: $row[0\
I got a thankyou this morning for notifiying them, but am not holding my
breath. I will now complain about the magic quotes but I dont think they
will do anything.
yea - I am not yet checking for malicious code yet. I was lucky to get my
first ever php page working and it was nice to be able to change the query
from explorer or FF while debugging. I will probably pass the sql command
in a psudo-session variable. That too, is subject to getting hacked but is
not as obvious as providing the sql command in the url.

...thanks..

Joseph "Beemer Biker" Stateson

ask about my 1999 R1100RT

Re: problem passing quote and double quote in IE7 pages

giving up the right to remain silent
"Ronx" <ronx917@hotmai l.comwrote in message
news:Ovw$9JKRJH A.4492@TK2MSFTN GP06.phx.gbl...<big snip>

Thanks Ron, I will come up with another way to pass the query from my FP2003
project to the php code. The php code was written to allow FP2003 to access
the yahoo MySql server that is "free" on my home web page. It would be nice
if microsoft would buy yahoo and start supporting aspx , sqlserver and still
keep it "free".

Anyway, I found a psudo-session variable tool
- sessvars ver 1.01
- JavaScript based session object
- copyright 2008 Thomas Frank

and will be using that to pass the sql string to my php page when it loads.


Joseph "Beemer Biker" Stateson

ask about my 1999 R1100RT

Re: problem passing quote and double quote in IE7 pages

Joseph Stateson escribió:First of all, make sure your problem is related to PHP settings. You can
read your current config with phpinfo(), which prints an HTML table with
all the configuration values.

The previous script will tell you the path of the php.ini file in use.
In shared hosting, you might have a custom php.ini file for yourself
(somewhere in your FTP space) or you might not. If you don't, you can
provide PHP settings in some other ways, but it depends on many
factors... However, a quick look at the Yahoo help suggest that you
can't really change anything:



As last resort, you can always remove these extra backslashes with
stripslashes(). See example #2 at:





--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

Re: problem passing quote and double quote in IE7 pages

giving up the right to remain silent
""Álvaro G. Vicario"" <alvaroNOSPAMTH ANKS@demogracia .comwrote in message
news:gfes5u$48h $1@huron.algoma s.org...I tried putting php.ini in the directory with the scripts but it had no
effect. The #2 did work (deep backslash).

It was not possible to use that psudo-session variable because php runs at
the server and jscript at the browser. I am allowing only the "where" part
of the sql command to be utilized so I should be ok and I am also using an
encode as suggested by Ronx. I also figured out what I was doing wrong
and no longer need to use that psudo-session variable to retain info in the
html page. If I knew more about php *AND* it had a drag and drop
toolkit like frontpage or Visual Studio, I would do all the coding in php.