ansaurus

Question

String Containing double quotes is inserted incomplete in DB

Answer 1

+2 A:

Escape the doublequotes inside the string, like so:

$theString = "Hello, i wonder what all these \"quotes\" are doing in here...";

The backslash will tell the compiler to ignore the "meaning" of the folowing doublequote, and treat it like a normal character (This is what we call "Escaping").

Also check out mysql_real_escape_string() when working with user input (This will automatically escape all dangerous elements in strings for use in a mySQL Database).

Powertieke 2010-09-15 09:50:38

the ext will inserted through a text box by a user hence its a dynamic, is there any function in PHP to make it happen dynamically?

OM The Eternity 2010-09-15 09:51:59

Check the edit :)

Powertieke 2010-09-15 09:57:04

Changed the escape function. `mysql_escape_string` is deprecated and should not be trusted. The real function to use is `mysql_real_escape_string`. I also added a doc link. Otherwise, the sentiment is right, so +1...

ircmaxell 2010-09-15 10:02:17

i used the function Its still doesnt escape double quotes.. it stores string as " Don\'t worry too much about layout/design/text size, we will often "

OM The Eternity 2010-09-15 10:07:44

Please show us some code...

Powertieke 2010-09-15 10:11:16

Check the Updated question i have given the query i am using

OM The Eternity 2010-09-15 10:17:50

Did you try printing out ( echo($_POST['description']); ) the string before inserting it into the database? Better yet, echo the entire query (so all of the replaced vars are visible). I'm starting to think this is more of a display problem than a database problem...

Powertieke 2010-09-15 10:23:36

yes i did this infact as per requirement I have to display the string to user before insertion hence at the place of display i get the compelete string displayed

OM The Eternity 2010-09-15 10:35:12

Did you physically check the database table? Maybe you should check the get query, and the way the string gets handled from there...

Powertieke 2010-09-15 11:25:36

Answer 2

A:

Use the function mysql_real_escape_string() if it's coming from user input.

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

Andy E 2010-09-15 09:51:07

this cannot be a reason

Col. Shrapnel 2010-09-15 09:56:16

@Col: your comment makes no sense. What cannot be a reason for what?

Andy E 2010-09-15 10:01:40

i used the function Its still doesnt escape double quotes.. it stores string as " Don\'t worry too much about layout/design/text size, we will often "

OM The Eternity 2010-09-15 10:06:04

if it was a database escaping issue, there was no string been inserted at all, because of syntax error.

Col. Shrapnel 2010-09-15 10:06:27

@Col: Yeah, I see what you're saying, but he specifically said half the string was inserted. If he wasn't using *mysql_real_escape_string()* which, looking at latest comment he wasn't, he still would have had problems.

Andy E 2010-09-15 10:15:29

your comment makes no sense. lack of escaping is apparently not the reason of string truncating

Col. Shrapnel 2010-09-15 10:19:01

!ANDY could tell me something more about it?

OM The Eternity 2010-09-15 11:04:37

@Col: I'm pointing out that even though his problem may not be a lack of escaping, he still needs it. If he fixed his truncating problem, he'd still need real escaping to insert the string into the database.

Andy E 2010-09-15 11:11:54

What a brilliant advice. Tell me Andy, what do you mean saying `if it's coming from user input?` Does it mean that if this string coming not from user input, then no need to escape it?

Col. Shrapnel 2010-09-15 11:15:37

and this function doesn't make any data "safe".

Col. Shrapnel 2010-09-15 11:19:10

@Col. Really, there's no need for trolling. I never said it made the data "safe". Read it again, and you'll see I said it escaped it. When I wrote *"if it's coming from user input"* I was making an assumption before he updated his post to verify that and it was intended as an alternative to the first revision of Powertieke's answer. Good manners go a long way on the Internet.

Andy E 2010-09-15 11:37:20

@ANDY thats what made me mad and made me yelling in my comments on his replies.. n e ways thanks all your attention and answers.. BTW I agree with your advice to COL for Being in Good Manners.. he is a bit rude in replies.. But I am thankful to his guidance..

OM The Eternity 2010-09-15 11:42:01

@OMTheEternity: No problem at all, you're very welcome :-)

Andy E 2010-09-15 11:44:06

May be my manners are bad, but your answer is worse. 2 big mistakes in it, and none of your excuses can help it.

Col. Shrapnel 2010-09-15 12:09:05

@Col Shrapnel: How pathetic of you. I called you out on your trolling so you down voted me and tried to blame it on my answer having "2 big mistakes". Fortunately for you, I don't do retaliatory down voting. /Feeding

Andy E 2010-09-15 12:11:50

You think too much of trolls. There are less of them around than you imagine. While you just disown your own words. I still can see with my eyes `This function must .. be used to make data safe`. And you deny you have said that! Who is troll then?

Col. Shrapnel 2010-09-15 12:29:52

@Col. *I* didn't say that. That's a direct quote from the PHP manual, hence the use of the `<blockquote>` element. Maybe you should take your trolling to them instead of wasting your time here.

Andy E 2010-09-15 12:33:23

@Warriors Cease Fire

OM The Eternity 2010-09-15 12:48:10

Makes sense. Sure I'm gonna give few slaps those manual guys. But there is still that ridiculous expression about escaping user input only (I see no other way to interpret it).

Col. Shrapnel 2010-09-15 12:48:29

Answer 3

+2 A:

LOL
haven't read whole question but I am sure I know the answer

it's being inserted into database all right, then retrieved all right, and then goes into HTML form's field value... ;-)

Well, seriously.
You have to follow your data step by step.
There is some evil code in your application, that makes some evil things.
You have to follow your data flow and check at what stage it gets spoiled
Just print your data out at these steps:

after receiving form data
before inserting into database
after retrieving from database
before printing back into form

That's your general fault: you take multi-stage process as a single step.
You watch your string being inserted into textarea and next time you see it in this textarea truncated. And you think it's database issue. While you cannot be so sure - there are many steps where database isn't involved. Watch your app as not a solid block but as multiple stage process.

Col. Shrapnel 2010-09-15 09:53:05

COL Dont LOL Give me some Help... :-)

OM The Eternity 2010-09-15 09:55:40

@Col: Since he says it's a textarea, unescaped quotes won't affect it in the way you're implying, as they would for other input field types. (Angle-brackets will affect it, though, so the data does still need to be sanitised before being re-displayed back to the page).

Spudley 2010-09-15 10:03:38

@Spudley yeah, is ee his edit. Well, it's some other weird code then

Col. Shrapnel 2010-09-15 10:07:41

@Spudley and @ Col. I am using simple insert query, with mysql_real_escape_string() function applying to $_POST values to be inserted in DB

OM The Eternity 2010-09-15 10:12:55

I have already done all that, for more specification seethe updated question

OM The Eternity 2010-09-15 10:20:19

@OM well where does it get truncated? at what step?

Col. Shrapnel 2010-09-15 10:22:35

@Col I have followed the all the step by step process as you have suggested everything is fine before insertion into DB

OM The Eternity 2010-09-15 10:24:46

@Col at the point when string is inserted into DB and I am sure it is bcause of double quotes

OM The Eternity 2010-09-15 10:25:42

@OM never be sure out of guessing. Never. A good programmer always runs a code to be sure.

Col. Shrapnel 2010-09-15 10:27:50

actually there is nothing in your code that can truncate this string

Col. Shrapnel 2010-09-15 10:28:45

Thanks @Col for experienced guidance brother, I really did echo before inserting into DB and I got displayed with complete string

OM The Eternity 2010-09-15 10:37:27

yes i did this infact as per requirement I have to display the string to user before insertion hence at the place of display i get the complete string displayed

OM The Eternity 2010-09-15 10:38:15

@OM well now try to display it out of database.

Col. Shrapnel 2010-09-15 10:40:33

@COL I got this issue reported by client where he gets his data displayed incomplete hence after fetching from DB as well i get incmplete data BECAUSE DATA INSERTED IS INCOMPLETE, I have access of DB and I can see the incomplete data inserted

OM The Eternity 2010-09-15 10:43:18

@Om what client you're talking about? You have to reproduce the whole issue in your development environment

Col. Shrapnel 2010-09-15 10:56:12

Calm down man...

Powertieke 2010-09-15 11:18:58

@Om no, I can't. You are talking of different things all the time. database, client, escaping, everything. As a matter of fact, I have no such issue in my hundreds of scripts. And I can assure you it's not database or PHP issue, but your code. You can yell here for hours, but it wont help you a bit. You have to start to debug your code, diligently and attentively. To assure yourself, not me. I have no problem of this kind. Good luck in debugging.

Col. Shrapnel 2010-09-15 11:27:33

@COL Apologies, You were always right.....

OM The Eternity 2010-09-15 11:34:08

+1 for being psychic :)

Powertieke 2010-09-15 14:56:40

Answer 4

A:

You need to escape your quotes.

If your DB is MySQL, pass all your data through the mysql_real_escape_string() function before saving them to the DB.

If you don't do this, you risk major security holes in your code, not just data going missing!

(in case you aren't doing it already, you should also be escaping other data for other purposes as well; eg data being sent back to the browser should be escaped to prevent rogue users adding raw HTML or Javascript code to it to manipulate your site.

There are a number of functions in PHP to deal with adding and removing escape characters and data filtering. If you want your site to be secure, you need to learn these functions and techniques.

[edit]

After seeing your edit:

Firstly, you need to escape all the strings in your query, not just the description, so add escaping to $_POST['logoimage1'], etc, as you'll have the same problems if any of those contain quotes.

However the escaping on the description field looks correct so I don't know why it would be truncated. The man page for mysql_real_escape_string() states that it escapes double and single quotes, so it should be okay for you. You can test this by print()ing the fully escaped SQL string; this will show if there's anything left unescaped.

Shot in the dark - have you checked the maximum length of your description field in the database? That could also cause string truncation.. unlikely though; I imagine if you're inputting with a textarea you'll have set it up to be long enough.

Spudley 2010-09-15 09:59:04

Answer 5

A:

As per @COL Sharpnel's Scouldings :-)

Thanks Agauin for making me scould myself.. sometimes its necessary

i echoed the $_POST['description'] and this displayed as

Don't worry too much about layout/design/text size, we will often

and when i used

htmlspecialchars(stripslashes($_POST['description']))

It gave me complete string

"Don't worry too much about layout/design/text size, we will often "spice up" (i.e. bold, italic, spacing) your banner for a better overall look.

> MORAL OF POST: DONT GET OVER CONFIDENT ON SPAGHETTI CODE

OM The Eternity 2010-09-15 11:31:30

ansaurus

tags:

views:

answers:

String Containing double quotes is inserted incomplete in DB

related questions