Hi all,
I noticed that if I add a name such as O'Toole in the address book it will display as O'Toole. Not sure if this is specific to my php config or not, or it simply needs stripslashes() function applied before outputting.
Thanks,
Justin
On Fri, Dec 30, 2005 at 08:16:40PM -0700, Justin Frydman wrote:
Hi all,
I noticed that if I add a name such as O'Toole in the address book it will display as O'Toole. Not sure if this is specific to my php config or not, or it simply needs stripslashes() function applied before outputting.
For what it's worth - I am using the following snippet I found once on the PHP website in all my projects in a global include that is loaded before every other action...
// strip magic quotes from Superglobals... if ((bool) get_magic_quotes_GPC()) { // by "php Pest" // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST $fnStripMagicQuotes = create_function( '&$mData, $fnSelf', 'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '. '$mData = stripslashes($mData);' ); $fnStripMagicQuotes($_POST, $fnStripMagicQuotes); // do each set of EGPCSR as you find necessary $fnStripMagicQuotes($_GET, $fnStripMagicQuotes); $fnStripMagicQuotes($_REQUEST, $fnStripMagicQuotes); }
magic_quotes is one of the most evil things in PHP - it should've been dumped in Version 4, but ...
Balu
On Tue, 3 Jan 2006, Thomas -Balu- Walter wrote:
On Fri, Dec 30, 2005 at 08:16:40PM -0700, Justin Frydman wrote:
Hi all,
I noticed that if I add a name such as O'Toole in the address book it will display as O'Toole. Not sure if this is specific to my php config or not, or it simply needs stripslashes() function applied before outputting.
For what it's worth - I am using the following snippet I found once on the PHP website in all my projects in a global include that is loaded before every other action...
// strip magic quotes from Superglobals... if ((bool) get_magic_quotes_GPC()) { // by "php Pest"
[snip]
magic_quotes is one of the most evil things in PHP - it should've been dumped in Version 4, but ...
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
prueba=> INSERT INTO pruebita VALUES (default,'O'Toole'); INSERT 2193750 1 prueba=> SELECT * FROM pruebita; id | texto ----+--------- 1 | O'Toole (1 fila)
SO my question is, why would you want to strip the slashes that shouldn't be there. Mayby there is some kind of doble escape going on, so the ' are escaped first and with the second escape, the \ are escaped.
prueba=> INSERT INTO pruebita VALUES (default,'O\'Toole'); INSERT 2193751 1 prueba=> SELECT * FROM pruebita; id | texto ----+---------- 1 | O'Toole 2 | O'Toole (2 filas)
There you can see the diference. ;-)
-- 11:40:01 up 50 min, 2 users, load average: 0.06, 0.09, 0.08
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
On Tue, Jan 03, 2006 at 11:50:24AM -0300, Lic. Martin Marques wrote:
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
I think you got me wrong - my snippet was not meant to correct the problem, but was a personal rant about the magic_quotes problem and a solution I'm using.
Of course I'm adding a slash when querying the database (addslashes() or better mysql_real_escape_string()), but with the snippet you can be sure that the submitted data does not have any automagically added slashes in there you don't need. Then you just have to remember to always add the slashes when querying, not to remove them (if it's enabled) when printing or whatever.
Balu
On Tue, 3 Jan 2006, Thomas -Balu- Walter wrote:
On Tue, Jan 03, 2006 at 11:50:24AM -0300, Lic. Martin Marques wrote:
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
I think you got me wrong - my snippet was not meant to correct the problem, but was a personal rant about the magic_quotes problem and a solution I'm using.
Reading again my post, I see it's a bit agressive. What I wanted to say is that, as you said yourself magic_quotes are not a good thing to use. They are disabled by default in php.ini.
Of course I'm adding a slash when querying the database (addslashes() or better mysql_real_escape_string()), but with the snippet you can be sure that the submitted data does not have any automagically added slashes in there you don't need. Then you just have to remember to always add the slashes when querying, not to remove them (if it's enabled) when printing or whatever.
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
-- 13:20:01 up 42 min, 1 user, load average: 0.03, 0.04, 0.08
Lic. Martín Marqués | SELECT 'mmarques' || Centro de Telemática | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador
Lic. Martin Marques wrote:
On Tue, 3 Jan 2006, Thomas -Balu- Walter wrote:
On Tue, Jan 03, 2006 at 11:50:24AM -0300, Lic. Martin Marques wrote:
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
I think you got me wrong - my snippet was not meant to correct the problem, but was a personal rant about the magic_quotes problem and a solution I'm using.
Reading again my post, I see it's a bit agressive. What I wanted to say is that, as you said yourself magic_quotes are not a good thing to use. They are disabled by default in php.ini.
Of course I'm adding a slash when querying the database (addslashes() or better mysql_real_escape_string()), but with the snippet you can be sure that the submitted data does not have any automagically added slashes in there you don't need. Then you just have to remember to always add the slashes when querying, not to remove them (if it's enabled) when printing or whatever.
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
The latest CVS version of RoundCube uses the PEAR::DB quote() method to escape the insert values according to the DB engine. magic_quotes should be disabled in the php.ini because adding stripslashes() to all incoming values is not a good solution and it strips (wanted) slashes on all machines that have disabled magic_quotes.
Regards, Thomas
On Wed, 04 Jan 2006 12:21:28 +0100, Thomas Bruederli roundcube@gmail.com wrote:
Lic. Martin Marques wrote:
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
The latest CVS version of RoundCube uses the PEAR::DB quote() method to escape the insert values according to the DB engine. magic_quotes should be disabled in the php.ini because adding stripslashes() to all incoming values is not a good solution and it strips (wanted) slashes on all machines that have disabled magic_quotes.
PEAR::DB quote is depricated. RC should use escapeSimple() or quoteSmart() methods.
martin wrote:
On Wed, 04 Jan 2006 12:21:28 +0100, Thomas Bruederli roundcube@gmail.com wrote:
Lic. Martin Marques wrote:
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
The latest CVS version of RoundCube uses the PEAR::DB quote() method to escape the insert values according to the DB engine. magic_quotes should be disabled in the php.ini because adding stripslashes() to all incoming values is not a good solution and it strips (wanted) slashes on all machines that have disabled magic_quotes.
PEAR::DB quote is depricated. RC should use escapeSimple() or quoteSmart() methods.
I recognized that a few days ago, the development version uses quoteSmart() now.
Thanks, Thomas
Lic. Martin Marques wrote:
On Tue, 3 Jan 2006, Thomas -Balu- Walter wrote:
On Tue, Jan 03, 2006 at 11:50:24AM -0300, Lic. Martin Marques wrote:
This is plain stupid. The problem could be in the DB insertion, as you have to escape the '. But ibn a select that backslash shouldn't be there:
I think you got me wrong - my snippet was not meant to correct the problem, but was a personal rant about the magic_quotes problem and a solution I'm using.
Reading again my post, I see it's a bit agressive. What I wanted to say is that, as you said yourself magic_quotes are not a good thing to use. They are disabled by default in php.ini.
Of course I'm adding a slash when querying the database (addslashes() or better mysql_real_escape_string()), but with the snippet you can be sure that the submitted data does not have any automagically added slashes in there you don't need. Then you just have to remember to always add the slashes when querying, not to remove them (if it's enabled) when printing or whatever.
As RC uses PEAR::DB all that has to be done is:
$query = $db->escapeSimple($query);
and PEAR::DB will use the database especific function depending on which DB server you are using. Very nice. :-)
The latest CVS version of RoundCube uses the PEAR::DB quote() method to escape the insert values according to the DB engine. magic_quotes should be disabled in the php.ini because adding stripslashes() to all incoming values is not a good solution and it strips (wanted) slashes on all machines that have disabled magic_quotes.
Regards, Thomas