Part - 36 mysqli_real_escape_string gives me foreward slash

[asani]

When i run the form with Alans's Page i get Alan\'s Page! I have run down the code but i cant seem to find any errors in my syntax. Is this something that mysql does wrong or what? Should be a simple thing to resolve but i just cant pin it down!! anyone plz help...everthing is superb exept for that little bug!!

[JasonMate]

Its probably because your host has magic quotes enabled.

Are you running the variable through stripslashes() function to remove the slashes?

On Tue, May 26, 2015 at 9:27 AM, asani notifications@github.com wrote:

When i run the form with Alans's Page i get Alan\'s Page! I have run down the code but i cant seem to find any errors in my syntax. Is this something that mysql does wrong or what? Should be a simple thing to resolve but i just cant pin it down!! anyone plz help...everthing is superb exept for that little bug!!

— Reply to this email directly or view it on GitHub https://github.com/thedigicraft/Atom.CMS/issues/124.

[asani]

Ok so its a host issue? well im using a free host for now...you think this will be resolved when i switch to a paying host?

And im kind a a newbie so you question doesnt mean anything now..where should i refere to the stripslashes() could you make a code where it is used as a reference?

and respect for your quick responses dude...much appriciated!

[JasonMate]

I am pretty sure you can resolve the issue by removing the mysqli_real_escape_string() function. It's basically to protect the db from single quotes and sql injection, but if magic quotes are enabled you wont need to run that function from the admin panel.

I would try removing the functions and see if you can break the page by adding single quotes to the body and header content.

On Tue, May 26, 2015 at 10:04 AM, asani notifications@github.com wrote:

Ok so its a host issue? well im useing a free host for now...you think this will be resolved when i switch to a paying host?

And im kind a a newbie so you question doesnt mean anything noe...where should i refere to the stripslashes() could you make a code where it is used as a reference?

and respect for your quick responses dude...much appriciated!

— Reply to this email directly or view it on GitHub https://github.com/thedigicraft/Atom.CMS/issues/124#issuecomment-105578030 .

[asani]

ok so if magic quotes are not enabled in another hosting company i would have to add the mysqli_real_escape_string() function? And just so i dont mess up my code to the point where i cant find my problem, is this wjat you mean? (im not using a "label" column by the way)

From:

                $title = mysqli_real_escape_string($dbc, $_POST['title']);
                $header = mysqli_real_escape_string($dbc, $_POST['header']);
                $body = mysqli_real_escape_string($dbc, $_POST['body']);

                $title = ($dbc, $_POST['title']);
                $header = ($dbc, $_POST['header']);
                $body = ($dbc, $_POST['body']);

Thanks again

[JasonMate]

Just comment out the old code so you have a reference incase you need to add the functions back in like this:

/*

$title = mysqli_real_escape_string($dbc, $_POST['title']); $header = mysqli_real_escape_string($dbc, $_POST['header']); $body = mysqli_real_escape_string($dbc, $_POST['body']);

*/

Then write the new code like this:

$title = $_POST['title']; $header = $_POST['header']; $body = $_POST['body'];

Now that is the raw data, so try and add some quotes to test the new code and see if it breaks anything.

Regards,

Jason M

On Tue, May 26, 2015 at 10:55 AM, asani notifications@github.com wrote:

ok so if magic quotes are not enabled in another hosting company i would have to add the mysqli_real_escape_string() function? And just so i dont mess up my code to the point where i cant find my problem, is this wjat you mean? (im not using a "label" column by the way)

From:

            $title = mysqli_real_escape_string($dbc, $_POST['title']);
            $header = mysqli_real_escape_string($dbc, $_POST['header']);
            $body = mysqli_real_escape_string($dbc, $_POST['body']);

            $title = ($dbc, $_POST['title']);
            $header = ($dbc, $_POST['header']);
            $body = ($dbc, $_POST['body']);

Thanks again

— Reply to this email directly or view it on GitHub https://github.com/thedigicraft/Atom.CMS/issues/124#issuecomment-105601365 .

[asani]

Worked like a charm! Thank you very much!!!! You rock!!

[creptor]

you should be carefull in deleting the filters. If someone get's access to the file..... like a method post from another page, he could remove all your database data :cry:

[JasonMate]

Here's the culprit: http://php.net/manual/en/security.magicquotes.php

On Tue, May 26, 2015 at 7:15 PM, creptor notifications@github.com wrote:

you should be carefull in deleting the filters. If someone get's access to the file..... like a method post from another page, he could remove all your database data [image: :cry:]

— Reply to this email directly or view it on GitHub https://github.com/thedigicraft/Atom.CMS/issues/124#issuecomment-105709100 .

[creptor]

My recomendation is to use FILTER_SANITIZE_SPECIAL_CHARS, this converts those simbols into utf-8 (if i'm correct), so there won't be problems with special chars and they will be visible. here is a link

PD: w3schools is not the best place to find anwsers, but it's the first match in google :3

[JasonMate]

I pretty sure that wont work as intended for this particular problem. That filter will also convert html chars to entities, and output the html tags instead of rendering them.

On Tue, May 26, 2015 at 8:48 PM, creptor notifications@github.com wrote:

My recomendation is to use FILTER_SANITIZE_SPECIAL_CHARS, this converts those simbols into utf-8 (if i'm correct), so there won't be problems with special chars and they will be visible. here is a link http://www.w3schools.com/php/filter_sanitize_special_chars.asp

— Reply to this email directly or view it on GitHub https://github.com/thedigicraft/Atom.CMS/issues/124#issuecomment-105736395 .

[creptor]

The problem is that you can't have html code for correctly sanitized strings. But what you can do is to add html_entity_decode($string) so it will re convert the html from the sanitized content.

PD: I'm not sure if the best option is to use FILTER_SANITIZE_SPECIAL_CHARS or FILTER_SANITIZE_STRING.