output escaping problem

6 Message(s) by 4 Author(s) originally posted in php sql

From: Pugi!

Date: Monday, August 13, 2007

Before I save input from a form to a data

<data, data processing, jargon> /day't*/ (Or "raw data")
	Numbers, {characters}, {images}, or other method of recording,
	in a form which can be assessed by a human or (especially)
	input into a {computer}, stored and {processed} there, or
	transmitted on some {digital channel}.  Computers nearly
	always represent data in {binary}.

	Data on its own has no meaning, only when interpreted by some
	kind of {data processing system} does it take on meaning and
	become {information}.

	People or computers can find patterns in data to perceive
	information, and information can be used to enhance
	{knowledge}.  Since knowledge is prerequisite to wisdom, we
	always want more data and information.  But, as modern
	societies verge on {information overload}, we especially need
	better ways to find patterns.

	1234567.89 is data.

	"Your bank balance has jumped 8087% to $1234567.89" is
	information.

	"Nobody owes me that much money" is knowledge.

	"I'd better talk to the bank before I spend it, because of
	what has happened to other people" is wisdom.

	(1999-04-30)

base I use (after input
filtering) mysql_real

1. Not simulated.  Often used as a specific antonym to
	{virtual} in any of its jargon senses.

	2. <mathematics> {real number}.

	[{Jargon File}]

	(1997-03-12)

_escape_string

<programming> A sequence of {data} values, usually {bytes},
	which usually stand for {characters} (a "character string").
	The {mapping} between values and characters is determined by
	the {character set} which is itself specified implcitly or
	explicitly by the environment in which the string is being
	interpreted.

	The most common character set is {ASCII} but, since the late
	1990s, there has been increased interest in larger character
	sets such as {Unicode} where each character is represented by
	more than eight {bits}.

	Most programming languages consider strings (e.g.
	"124:shabooya:\n", "hello world") basically distinct from
	numbers which are typically stored in fixed-length {binary} or
	{floating-point} representation.

	A {bit string} is a sequence of {bits}.

	(1999-12-21)

.
This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
To display

1. <hardware> {monitor}.

	2. <language> A vector of pointers to {activation records}.
	The Nth element points to the activation record containing
	variables declared at {lexical depth} N.  This allows faster
	access to variables from outer {scopes} than the alternative
	of linked activation records (but most variable accesses are
	either local or global or occasionally to the immediately
	enclosing scope).  Displays were used in some {ALGOL}
	implementations.

	(1996-02-22)

this data from database in browser

<hypertext> A program which allows a person to read
	{hypertext}.  The browser gives some means of viewing the
	contents of {nodes} (or "pages") and of {navigating} from one
	node to another.

	{Netscape Navigator}, {NCSA} {Mosaic}, {Lynx}, and {W3} are
	examples for browsers for the {World-Wide Web}.  They act as
	{clients} to remote {web servers}.

	(1996-05-31)

, I use stripslashes and
htmlentities.
So far so good.

But what if input is for example a location:
D:\data\folder\file

<file system> An element of data storage in a {file system}.

	The history of computing is rich in varied kinds of files and
	{file systems}, whether ornate (e.g., {Macintosh file system}
	for a well-known case) or deficient (e.g., many simple
	pre-1980s file systems don't allow {directories}).

	However, the prototypical file has these characteristics:

	* It is a single sequence of bytes (but consider {Macintosh}
	{resource forks}).

	* It has a finite length, unlike, e.g. a {Unix} {device}.

	* It is stored in a {non-volatile storage} medium (but see
	{ramdrive}).

	* It exists (nominally) in a {directory}.

	* It has a name that it can be referred to by in file
	operations, possibly in combination with its {path}.

	Additionally, a file system may associate other information
	with a file, such as {permission} bits or other {file
	attributes}; timestamps for file creation, last revision, and
	last access; revision numbers (a` la VMS), and other kinds of
	{magic}.

	Compare: {document}.

	(1997-04-08)

.exe. Escaped this becomes D:\\data\\folder\
\file.exe
No problem here, but how can I display this in a browser again ?
Stripslashes removes \ as well as \\, so I am left with
D:datafolderfile.exe This isn't what I want, I want it to show D:\data
\folder\file.exe.Pugi!

From: Rik

Date: Monday, August 13, 2007

wrote in message:

Before I save input from a form to a database I use (after input
filtering) mysql_real_escape_string.
This means that blabla 'blabla' ... -> blabbla \'blabla\' ...

No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.

To display this data from database in browser, I use stripslashes and
htmlentities.
So far so good.

Nope, just drop the stripslashes.
--
Rik Wasmus

From: charlespb69

Date: Tuesday, August 14, 2007

wrote in message:
wrote in message:
> Before I save input from a form to a database I use (after input
> filtering) mysql_real_escape_string.
> This means that blabla 'blabla' ... -> blabbla \'blabla\' ...
No, it means the characters that need escaping are escaped when inserting
in the database, so the data in the database is _the_same_ as your
original string. Unless somthing like magic_quotes_gpc() is enabled, in
which case you should use stripslashes() on the string before using
mysql_real_escape_string() on it.
> To display this data from database in browser, I use stripslashes and
> htmlentities.
> So far so good.
Nope, just drop the stripslashes.
--
Rik Wasmus

When using mysql_real_escape_string you do not need to use stripslashes

From: Michael Fesser

Date: Tuesday, August 14, 2007

.oO(charlespb69)

When using mysql_real_escape_string you do not need to use stripslashes

Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Micha

From: Rik

Date: Wednesday, August 15, 2007

wrote in message:

.oO(charlespb69)
When using mysql_real_escape_string you do not need to use stripslashes
Depends on the setting of magic quotes. If they are enabled, you should
use stripslashes() before doing anything else.

Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus

From: charlespb69

Date: Thursday, August 16, 2007

wrote in message:
wrote in message:
> .oO(charlespb69)
When using mysql_real_escape_string you do not need to use stripslashes
> Depends on the setting of magic quotes. If they are enabled, you should
> use stripslashes() before doing anything else.
Yup, and they're a big pain, so if you get the chace, disable those magic
bastards. Getting the real data provided is in the end so much easier.
--
Rik Wasmus

With my hosting provider

<networking, company> (IAP) A company or other origanisation
	which provides access to the {Internet} to businesses and/or
	consumers.  An IAP purchases an Internet link from another
	company that has a direct link to the Internet and resells
	portions of that {bandwidth} to the general public.

	For example, an IAP may purchase a {T1} link (1.544Mb/s) and
	resell that bandwidth in chunks consisting of {ISDN} (64Kb/s,
	128Kb/s) and analog {modems} (14.4Kb/s, 28.8Kb/s).  The IAP's
	customer base is likely to include both businesses and
	individuals.  Individual customers usually connect to the IAP
	via a modem and telephone line to a (preferably local) {point
	of presence}.

	An IAP may also be an {Internet Service Provider}.

	(1996-06-25)

I have access to the php.ini file so I can
turn off magic-quotes.

Next Message: Remote connection by proxy script.

Blogs related to output escaping problem

BigDump: Staggered MySQL Dump Importer
Note 6: If you experience problems with non-latin characters while using BigDump you have to adjust the $db_connection_char_set configuration variable in bigdump.php to match the encoding of your dump file. FAQ Q: I get an error: MySQL: ...

Re: xsl-list Digest 14 May 2007 05:10:00 -0000 Issue 1
I understand the problem with the 'disable-out-escaping', in this particular example there is no need for it because those targeted characters don't exist. Yes, I'm going back to Jeni's page to review her methods. ...

RE: Re; Grouping Titles under Correct Category
>'Disable-output-escaping' is used to mask specific HTML characters that appear in the HTML output. For example '&' Well, none of your titles contains any characters that need to be escaped, so disabling escaping has no effect. ...

Re: Preventing CDATA output in XHTML
I've poured through the FAQs and have tried everything suggested: Wrapping in , wrapping in an HTML comment, using the disable-output-escaping=yes attribute on , etc. XSL such as this: