NYCPHP Meetup

NYPHP.org

[nycphp-talk] un-escape db content using php or ADOdb functions

Federico Ulfo rainelemental at gmail.com
Wed May 2 12:17:35 EDT 2012


The article you mentioned is from April 2004, so I could not rely on that.

Starting from PHP 5.4 magic_quotes_gpc has been removed
http://php.net/releases/5_4_0.php

Also since PHP 5, the best way to go is to use PDO prepared statements,
which avoid any double escaping and allows you to connect to different
database, so you don't really need anymore Adodb.

If your database has escaped contents, you can either run a REPLACE query
(to solve definitely the problem on the database) or as you well said use
stripslashes, or a custom function, it depends what you escaped!

Also that I know mysql_real_escape_string it doesn't have any reverse
function, but if you look at the doc, somebody wrote a reverse_escape for
it:
http://php.net/manual/en/function.mysql-real-escape-string.php


Hope this was helpful :)
Federico



On Wed, May 2, 2012 at 11:29 AM, Eugenio Tacchini <
eugenio.tacchini at gmail.com> wrote:

> Hi,
> I've read your interesting article:
>
> http://www.nyphp.org/phundamentals/5_Storing-Data-Submitted-Form-Displaying-Database
>
> I have a couple of questions about the function fix_magic_quotes:
> 1) Why do you disable magic_quotes_gpc and magic_quotes_sybase via
> ini_set? Fixing the content escaped by magic quotes should be enough
> in my opinion, am I wrong?
>
> 2) As far as I know, stripslashes is affected by magic_quotes_sybase,
> s  if magic_quotes_sybase is on, both addslashes and stripslashes work
> in a  sybase-style way. For this reason I don't think you need to use
> str_replace.
>
> And finally a more general question: are you aware of any method for
> un-escaping content based on db-specific escape function? I mean
> something  kuje stripslashes but specific so: the counterpart of
> addslashes is stripslashes, is there any counterpart  for
> mysql_escape_string or for the adodb function qstr or the PDO quote
> function?
> I know that, in an ideal world, we don't need them but if an
> application has been build using a "escape everything" approach and
> you need to work with that, you need to unescape content when you
> don't use it in a query  and stripslashes doesn't work if you switch
> from addslashes to something  like adodb->qstr.
>
> Thanks in advance.
>
> Cheers,
>
> ------------------
> Eugenio Tacchini
>
> dadabik.org DaDaBIK database front-end
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show-participation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120502/3d55d1a4/attachment.html>


More information about the talk mailing list