problem passing quote and double quote in IE7 pages

[Joseph Stateson]

I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.

$query = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';

The above works perfectly but if I attempt to pass the sql string into the
page as follows:

sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cpustats.php?sqlCMD=" + sqlCMD,"_blank");

I see the following on the IE7 explorer address bar:

myserver/mysite/cpustats.php?sqlCMD=SELECT * FROM cpuinfo where Description
like "%xcell%" or Description like "%q6600%"

AGAIN, ONE WOULD THINK THERE IS NOTHING WRONG WITH THE ABOVE.

Low and behold, the following code
$query = $_REQUEST['sqlCMD'] ;
print ($query);

gets expanded to:

SELECT * FROM cpuinfo where Description like \"%xcell%\" or Description like
\"%q6600%\"

I do not know why I see the backslash before the quote. Swapping single and
double quotes has no effect. $_REQUEST seems to substitute backslash before
any quote in a string. My guess is that IE7 (also FF) put it in. The MySql
query fails as it does not handle the backslash before the double (or
single) quote. I would hate to have to parse thru the string and remove the
backslash character when it is before a quote.

anyway, I am open to any suggestions. I am tired of googleing this. All I
found on google were attempts to add backslashes, not get rid of them.


...tia..

ps - if I actually add a \" then I get three backslashes.

 

[Álvaro G. Vicario]

Joseph Stateson escribió:

I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.

These are the infamous "magic quotes":

http://es2.php.net/magic_quotes

To sum up: disable them. Set magic_quotes_gpc to off in your php.ini file.

By the way... They've been disabled by default for several years now so
it's likely that you have some other discouraged settings in your PHP
config. Check, for instance, register_globals:

http://es2.php.net/register_globals

sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cpustats.php?sqlCMD=" + sqlCMD,"_blank");

This is an interesting architecture. So users can remotely query any
random data they want? Can they also run inserts and deletes?

 

[Ronx]

myserver/mysite/cpustats.php?sqlCMD=SELECT * FROM cpuinfo where
Description like "%xcell%" or Description like "%q6600%"


There's a lot wrong with that. Before adding the querystring to the URL
it will have to be encoded

It should be something like:
myserver/mysite/cpustats.php?sqlCMD=SELECT%20*%20FROM%20cpuinfo%20where%20Description%20like%20%22%25xcell%25%22%20or%20Description%20like%20%22%25q6600%25%22

Notice that all spaces have been changed to %20, all quotes to %22, and
all % to %25. As an alternative, the spaces could be changed to +
instead of %20.

The page cpustats.php will have to change these entities back before
processing the SQL.

In asp the encoding is done using Server.URLEncode(stringToEncode). I
don't know the method for PHP.

Note that % is a reserved character in a URL, which is why it has to be
changed, and some browsers stop reading querystrings at the first space.

--
Ron Symonds - Microsoft MVP (Expression)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp

I just started calling a php module from html. I added "php rocket" from
microsoft to FP2003 but dont think that is the cause.

The problem is that I am getting a backslash before a double or single quote
and I cannot figure out how to get ride of it.

$query = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';

The above works perfectly but if I attempt to pass the sql string into the
page as follows:

sqlCMD = 'SELECT * FROM cpuinfo where Description like "%xcell%" or
Description like "%q6600%" ';
window.open("cpustats.php?sqlCMD=" + sqlCMD,"_blank");

I see the following on the IE7 explorer address bar:

myserver/mysite/cpustats.php?sqlCMD=SELECT * FROM cpuinfo where Description
like "%xcell%" or Description like "%q6600%"

AGAIN, ONE WOULD THINK THERE IS NOTHING WRONG WITH THE ABOVE.

Low and behold, the following code
$query = $_REQUEST['sqlCMD'] ;
print ($query);

gets expanded to:

SELECT * FROM cpuinfo where Description like \"%xcell%\" or Description like
\"%q6600%\"

I do not know why I see the backslash before the quote. Swapping single and
double quotes has no effect. $_REQUEST seems to substitute backslash before
any quote in a string. My guess is that IE7 (also FF) put it in. The MySql
query fails as it does not handle the backslash before the double (or
single) quote. I would hate to have to parse thru the string and remove the
backslash character when it is before a quote.

anyway, I am open to any suggestions. I am tired of googleing this. All I
found on google were attempts to add backslashes, not get rid of them.


..tia..

ps - if I actually add a \" then I get three backslashes.

 

[Joseph Stateson]

giving up the right to remain silent

Joseph Stateson escribió:

These are the infamous "magic quotes":

http://es2.php.net/magic_quotes

thanks Álvaro I would not have known to google magic quotes. I did get as
far as "extra quote php" before giving up.

To sum up: disable them. Set magic_quotes_gpc to off in your php.ini file.

By the way... They've been disabled by default for several years now so
it's likely that you have some other discouraged settings in your PHP
config. Check, for instance, register_globals:

http://es2.php.net/register_globals

I hunted, but never found that php.ini file. I am a home yahoo'er and have
yahoo web space and yahoo.com provides MySql and shows database examples
only in perl and php. They do not do aspx or I would be using that. If I
have a php.ini file somewhere I cannot find php.ini in my home pages but I
might have missed it as I was using ftp to browse the directories. I
downloaded odbc drivers for FP2003 but they will not connect to yahoo's
server so that is how I got into php. I suspect their server has the
php.ini file and I do not have access to it.

I followed yahoo's instructions and created their MySql database at
http://swri.info/gpustats I had been hoping that microsoft would buy yahoo
and fix some other problems and magic_quotes is one more they could fix. I
had a hunch something was wrong when a newbie like me found an error in
yahoo's one and only sample perl script at
http://help.yahoo.com/l/us/att/smallbusiness/webhosting/mysql/mysql-12.html
eg:, the: $row[0\
I got a thankyou this morning for notifiying them, but am not holding my
breath. I will now complain about the magic quotes but I dont think they
will do anything.

This is an interesting architecture. So users can remotely query any
random data they want? Can they also run inserts and deletes?

yea - I am not yet checking for malicious code yet. I was lucky to get my
first ever php page working and it was nice to be able to change the query
from explorer or FF while debugging. I will probably pass the sql command
in a psudo-session variable. That too, is subject to getting hacked but is
not as obvious as providing the sql command in the url.

...thanks..

Joseph "Beemer Biker" Stateson
http://ResearchRiders.org
ask about my 1999 R1100RT

 

[Álvaro G. Vicario]

Joseph Stateson escribió:

thanks Álvaro I would not have known to google magic quotes. I did get as
far as "extra quote php" before giving up.

First of all, make sure your problem is related to PHP settings. You can
read your current config with phpinfo(), which prints an HTML table with
all the configuration values.

I hunted, but never found that php.ini file. I am a home yahoo'er and have
yahoo web space and yahoo.com provides MySql and shows database examples
only in perl and php.

The previous script will tell you the path of the php.ini file in use.
In shared hosting, you might have a custom php.ini file for yourself
(somewhere in your FTP space) or you might not. If you don't, you can
provide PHP settings in some other ways, but it depends on many
factors... However, a quick look at the Yahoo help suggest that you
can't really change anything:

http://help.yahoo.com/l/us/att/smallbusiness/webhosting/php/php-36.html

As last resort, you can always remove these extra backslashes with
stripslashes(). See example #2 at:

http://us2.php.net/manual/en/security.magicquotes.disabling.php

 

[Joseph Stateson]

giving up the right to remain silent

Joseph Stateson escribió:

First of all, make sure your problem is related to PHP settings. You can
read your current config with phpinfo(), which prints an HTML table with
all the configuration values.



The previous script will tell you the path of the php.ini file in use. In
shared hosting, you might have a custom php.ini file for yourself
(somewhere in your FTP space) or you might not. If you don't, you can
provide PHP settings in some other ways, but it depends on many factors...
However, a quick look at the Yahoo help suggest that you can't really
change anything:

http://help.yahoo.com/l/us/att/smallbusiness/webhosting/php/php-36.html

As last resort, you can always remove these extra backslashes with
stripslashes(). See example #2 at:

http://us2.php.net/manual/en/security.magicquotes.disabling.php

I tried putting php.ini in the directory with the scripts but it had no
effect. The #2 did work (deep backslash).

It was not possible to use that psudo-session variable because php runs at
the server and jscript at the browser. I am allowing only the "where" part
of the sql command to be utilized so I should be ok and I am also using an
encode as suggested by Ronx. I also figured out what I was doing wrong
and no longer need to use that psudo-session variable to retain info in the
html page. If I knew more about php *AND* it had a drag and drop
toolkit like frontpage or Visual Studio, I would do all the coding in php.

http://swri.info/cpustats