PHP :: Bug #3088 :: addslashes doesn't work properly

Bug #3088	addslashes doesn't work properly
Submitted:	2000-01-03 09:54 UTC	Modified:	2000-03-15 02:12 UTC
From:	guus at madocke dot nl	Assigned:
Status:	Closed	Package:	MSSQL related
PHP Version:	3.0.11	OS:	Win NT 4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	guus at madocke dot nl
New email:
PHP Version:		OS:

New Comment:

[2000-01-03 09:54 UTC] guus at madocke dot nl

I am using a script for a discussiongroup (Phorum). I translated this script for use with MS SQL server. Everything works fine, except that when you use a single quote, you get an errormessage like:

Warning: MS SQL message: Line 1: Incorrect syntax near 'mdsjbf'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL message: Unclosed quote before the character string ', 1)'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL: Query failed in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54
- insert Into Algemeen (id, name, email, datestamp, topic, body, host, thread) values (7, 'Guus', 'guus@madocke.nl', '2000-01-03 15:42:53', 'RE: Test 4', 'dsfsdfs\'mdsjbf', ' ', 1)

The problem is obvious in the last line 'dsfsdfs\'mdsjbf'. Where \' is still seen as a '. When the script is ran on Linux / MySQL the problem doesn't exist. 

		if($MagicQuotes!=1){
			$name = addslashes($name);
			$email = addslashes($email);
			$topic = addslashes($topic);
			$body = addslashes($body);
		}

		$date = date("Y-m-d H:i:s");
		$host = getenv('REMOTE_HOST');
		/* $host = @GetHostByAddr($host); */
		$host = " ";
		$name = htmlspecialchars($name);
		$email = htmlspecialchars($email);
		$topic = htmlspecialchars($topic);
		$body = htmlspecialchars($body);
		
		if($UseCookies==1){
			if((!IsSet($$cNameVar)) || ($$cNameVar != $name)) {
				SetCookie("$cNameVar",$name,time()+ 31536000);
			}
			if((!IsSet($$cEmailVar)) || ($$cEmailVar != $email)) {
				SetCookie("$cEmailVar",$email,time()+ 31536000);
			}
		}
		
		/* ophogen id-counter */
		$idresult = mssql_query("select max(id) as maxid from $sTable");
		$id = mssql_result($idresult,0,'maxid');
		$id++;
		
		$sSQL = "insert Into $sTable (id, name, email, datestamp, topic, body, host, thread) values ($id, '$name', '$email', '$date', '$topic', '$body', '$host', $thread)";

Because the dos-and-donts file could not be found on your server, i hope i provided you with all the right information. If not please feel free to ask for all the info you need.

Kind regards and a happy new year!
Guus Sprokkereef

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-03-15 02:12 UTC] fmk at cvs dot php dot net

The MS SQL server does not use \ as escape char for '. You have to use '' if you want to insert a ' in the database.

you could try $data = str_replace"'", "''", $data);

- Frank

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 03:01:28 2024 UTC