output escaping problem

Before I save input from a form to a database I use (after input
filtering) mysql_real_escape_string.
This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
To display this data from database in browser, I use stripslashes and
htmlentities.
So far so good.

But what if input is for example a location:
D:\data\folder\file.exe. Escaped this becomes D:\\data\\folder\
\file.exe
No problem here, but how can I display this in a browser again ?
Stripslashes removes \ as well as \\, so I am left with
D:datafolderfile.exe This is not what I want, I want it to show D:\data
\folder\file.exe.


Pugi!
puginews [ Mo, 13 August 2007 15:12 ] [ ID #1794003 ]

Re: output escaping problem

On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <puginews [at] gmail.com> wrote:

> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus
luiheidsgoeroe [ Mo, 13 August 2007 15:29 ] [ ID #1794004 ]

Re: output escaping problem

On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <puginews [at] gmail.com> wrote:

> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus
luiheidsgoeroe [ Mo, 13 August 2007 15:29 ] [ ID #1794018 ]

Re: output escaping problem

On Aug 13, 6:29 am, Rik <luiheidsgoe... [at] hotmail.com> wrote:
> On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <pugin... [at] gmail.com> wrote:
> > Before I save input from a form to a database I use (after input
> > filtering) mysql_real_escape_string.
> > This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
>
> No, it means the characters that need escaping are escaped when inserting
> in the database, so the data in the database is _the_same_ as your
> original string. Unless somthing like magic_quotes_gpc() is enabled, in
> which case you should use stripslashes() on the string before using
> mysql_real_escape_string() on it.
>
> > To display this data from database in browser, I use stripslashes and
> > htmlentities.
> > So far so good.
>
> Nope, just drop the stripslashes.
> --
> Rik Wasmus

When using mysql_real_escape_string you don't need to use stripslashes
charlespb69 [ Mi, 15 August 2007 02:40 ] [ ID #1796132 ]

Re: output escaping problem

..oO(charlespb69)

>When using mysql_real_escape_string you don't need to use stripslashes

Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Micha
Michael Fesser [ Mi, 15 August 2007 02:45 ] [ ID #1796133 ]

Re: output escaping problem

On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser <netizen [at] gmx.de> wrote:

> .oO(charlespb69)
>
>> When using mysql_real_escape_string you don't need to use stripslashes
>
> Depends on the setting of magic quotes. If they are enabled, you should
> use stripslashes() before doing anything else.

Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus
luiheidsgoeroe [ Mi, 15 August 2007 10:51 ] [ ID #1796134 ]

Re: output escaping problem

On Aug 13, 6:29 am, Rik <luiheidsgoe... [at] hotmail.com> wrote:
> On Mon, 13 Aug 2007 15:12:15 +0200, Pugi! <pugin... [at] gmail.com> wrote:
> > Before I save input from a form to a database I use (after input
> > filtering) mysql_real_escape_string.
> > This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
>
> No, it means the characters that need escaping are escaped when inserting
> in the database, so the data in the database is _the_same_ as your
> original string. Unless somthing like magic_quotes_gpc() is enabled, in
> which case you should use stripslashes() on the string before using
> mysql_real_escape_string() on it.
>
> > To display this data from database in browser, I use stripslashes and
> > htmlentities.
> > So far so good.
>
> Nope, just drop the stripslashes.
> --
> Rik Wasmus

When using mysql_real_escape_string you don't need to use stripslashes
charlespb69 [ Mi, 15 August 2007 02:40 ] [ ID #1796135 ]

Re: output escaping problem

..oO(charlespb69)

>When using mysql_real_escape_string you don't need to use stripslashes

Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Micha
Michael Fesser [ Mi, 15 August 2007 02:45 ] [ ID #1796136 ]

Re: output escaping problem

On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser <netizen [at] gmx.de> wrote:

> .oO(charlespb69)
>
>> When using mysql_real_escape_string you don't need to use stripslashes
>
> Depends on the setting of magic quotes. If they are enabled, you should
> use stripslashes() before doing anything else.

Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus
luiheidsgoeroe [ Mi, 15 August 2007 10:51 ] [ ID #1796137 ]

Re: output escaping problem

On Aug 15, 1:51 am, Rik <luiheidsgoe... [at] hotmail.com> wrote:
> On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser <neti... [at] gmx.de> wrote:
> > .oO(charlespb69)
>
> >> When using mysql_real_escape_string you don't need to use stripslashes
>
> > Depends on the setting of magic quotes. If they are enabled, you should
> > use stripslashes() before doing anything else.
>
> Yup, and they're a big pain, so if you get the chace, disable those magic
> bastards. Getting the real data provided is in the end so much easier.
> --
> Rik Wasmus

With my hosting provider I have access to the php.ini file so I can
turn off magic-quotes.
charlespb69 [ Do, 16 August 2007 06:27 ] [ ID #1796953 ]

Re: output escaping problem

On Aug 15, 1:51 am, Rik <luiheidsgoe... [at] hotmail.com> wrote:
> On Wed, 15 Aug 2007 02:45:27 +0200, Michael Fesser <neti... [at] gmx.de> wrote:
> > .oO(charlespb69)
>
> >> When using mysql_real_escape_string you don't need to use stripslashes
>
> > Depends on the setting of magic quotes. If they are enabled, you should
> > use stripslashes() before doing anything else.
>
> Yup, and they're a big pain, so if you get the chace, disable those magic
> bastards. Getting the real data provided is in the end so much easier.
> --
> Rik Wasmus

With my hosting provider I have access to the php.ini file so I can
turn off magic-quotes.
charlespb69 [ Do, 16 August 2007 06:27 ] [ ID #1796959 ]
PHP » alt.php » output escaping problem

Vorheriges Thema: session problem
Nächstes Thema: How to Send SMS with SMS Modem using PHP Script

[ Startseite ] [ Administrator ] [ Suche ] [ Hinweise ] [ Impressum ]

Powered by FudForum