Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Javascript escape characters showing

  1. #1
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default Javascript escape characters showing

    Hi, I'm using AJAX to be able to update some fields on a form, so it updates the database.

    The problem I'm having is I have to escape the fields with mysql_real_escapse_string, so the user can input apostrophes and speech marks. When I do this however, it shows up in the edited field as "Hello test\'s with apostrophe\'s and speech\"s marks". Instead of interpreting them, it outputs them as they are. How can I get around this?
    Last edited by Snookerman; 04-22-2009 at 09:03 AM. Reason: added “Resolved” prefix

  2. #2
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    You can either turn magic_quotes on in php.ini, or use stripslashes().

    Use this code to figure out if magic_quotes are on:
    PHP Code:
    echo (get_magic_quotes_gpc()) ? "Enabled" "Disabled"
    Jeremy | jfein.net

  3. The Following User Says Thank You to Nile For This Useful Post:

    Schmoopy (04-06-2009)

  4. #3
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    Nice, that works (stripslashes), but I want to make sure that doing this is as safe as mysql_real_escape_string, I have to try and make it as secure as possible.

    Edit: Spoke too soon, now the fields go blank if I put in an apostrophe or speech mark =/

    Well, sort of:

    Examples -

    "Hello's" -> Blank
    "Hello''s -> Hello''s

    So if there're two apostrophes together it works.

  5. #4
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    Nonononono, you should stripslash when you pull the data OUT of the database, when you put the data into the database, mysql_real_escape_string.

    Unless I'm miss understanding something. Are you putting stuff in the db, or are malicous people over the internet. If so, when you isert the stuff use the real escape, when pulling out use stripslashes. No need to real escape twice.
    Jeremy | jfein.net

  6. #5
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    Ahh, got ya - working now. Cheers

  7. #6
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    Glad to help you! Your welcome!

    It seems your topic is solved... Please set the status to resolved.. To do this:
    Go to your first post ->
    Edit your first post ->
    Click "Go Advanced" ->
    Then in the drop down next to the title, select "RESOLVED"
    Jeremy | jfein.net

  8. #7
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    One more thing, when I go to edit a field and there is a > or < in there, it comes up as &gt; and &lt; how do I stop that?

    Also, doesn't work properly if I put in "Hello & test", it stops when it gets to the &, the same with the + sign.
    Last edited by Schmoopy; 04-06-2009 at 03:27 PM.

  9. #8
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Note that you need to use both here: stripslashes() initially, and then mysql_real_escape_string() the real value. You can also just disable magic quotes, which is a better solution to your problem.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  10. #9
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    So, to clarify - you mean, stripslashes before inserting into database, and then real_escape for the return?

    My magic_quotes is already disabled.

    Edit: If you do mean that, it takes me back to how it was before, with \" \' etc, also not working if I put in one apostrophe.

  11. #10
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    No: the return value from your database should not require any unescaping (though it may need escaping for HTML with htmlspecialchars() if you intend to output it directly onto a page).

    If magic_quotes is disabled then all you need to do is use mysql_real_escape_string() before putting the values into a query.

    To avoid all this mess, you can alternatively just use prepared statements and have it take care of all the escaping for you.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •