PHP :: Bug #3088 :: addslashes doesn't work properly

Bug #3088	addslashes doesn't work properly
Submitted:	2000-01-03 09:54 UTC	Modified:	2000-03-15 02:12 UTC
From:	guus at madocke dot nl	Assigned:
Status:	Closed	Package:	MSSQL related
PHP Version:	3.0.11	OS:	Win NT 4
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 41 - 37 = ?
Subscribe to this entry?

[2000-01-03 09:54 UTC] guus at madocke dot nl

I am using a script for a discussiongroup (Phorum). I translated this script for use with MS SQL server. Everything works fine, except that when you use a single quote, you get an errormessage like:

Warning: MS SQL message: Line 1: Incorrect syntax near 'mdsjbf'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL message: Unclosed quote before the character string ', 1)'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL: Query failed in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54
- insert Into Algemeen (id, name, email, datestamp, topic, body, host, thread) values (7, 'Guus', 'guus@madocke.nl', '2000-01-03 15:42:53', 'RE: Test 4', 'dsfsdfs\'mdsjbf', ' ', 1)

The problem is obvious in the last line 'dsfsdfs\'mdsjbf'. Where \' is still seen as a '. When the script is ran on Linux / MySQL the problem doesn't exist. 

		if($MagicQuotes!=1){
			$name = addslashes($name);
			$email = addslashes($email);
			$topic = addslashes($topic);
			$body = addslashes($body);
		}

		$date = date("Y-m-d H:i:s");
		$host = getenv('REMOTE_HOST');
		/* $host = @GetHostByAddr($host); */
		$host = " ";
		$name = htmlspecialchars($name);
		$email = htmlspecialchars($email);
		$topic = htmlspecialchars($topic);
		$body = htmlspecialchars($body);
		
		if($UseCookies==1){
			if((!IsSet($$cNameVar)) || ($$cNameVar != $name)) {
				SetCookie("$cNameVar",$name,time()+ 31536000);
			}
			if((!IsSet($$cEmailVar)) || ($$cEmailVar != $email)) {
				SetCookie("$cEmailVar",$email,time()+ 31536000);
			}
		}
		
		/* ophogen id-counter */
		$idresult = mssql_query("select max(id) as maxid from $sTable");
		$id = mssql_result($idresult,0,'maxid');
		$id++;
		
		$sSQL = "insert Into $sTable (id, name, email, datestamp, topic, body, host, thread) values ($id, '$name', '$email', '$date', '$topic', '$body', '$host', $thread)";

Because the dos-and-donts file could not be found on your server, i hope i provided you with all the right information. If not please feel free to ask for all the info you need.

Kind regards and a happy new year!
Guus Sprokkereef

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-03-15 02:12 UTC] fmk at cvs dot php dot net

The MS SQL server does not use \ as escape char for '. You have to use '' if you want to insert a ' in the database.

you could try $data = str_replace"'", "''", $data);

- Frank

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 19:00:01 2025 UTC