php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #222 Problem with sybase style magic quotes and forming strings from posted fields.
Submitted: 1998-03-31 14:03 UTC Modified: 1998-04-01 00:13 UTC
From: curtis at lilly dot com Assigned: Zeev (profile)
Status: Closed Package: Parser error
PHP Version: 3.0 Release Candidate 2 OS: Linux
Private report: No CVE-ID: None
 [1998-03-31 14:03 UTC] curtis at lilly dot com
$query = "INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment', $age)";

When building the above SQL statement with magic quotes turned on and set to sybase style
the fellowing happens.

If $comment contains a double quote or a back slash the string $query will evaluate to
"INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment'"
Otherwise it will evaluate to the expected
"INSERT INTO table1 (name, comment, age) VALUES ('$name', '$comment', $age)"

for example if the values posted from the web are as follows.
$name = "jo bob"
$comment = "My favorite quote "work is fun" is not representative of how I feel today"
$age = "33"

The resulting string $query will be
"INSERT INTO table1 (name, comment, age) VALUES ('jo bob', 'My favorite quote "work is fun" is not representative of how I feel today"
But it should be
"INSERT INTO table1 (name, comment, age) VALUES ('jo bob', 'My favorite quote "work is fun" is not representative of how I feel today', 33"


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-04-01 00:13 UTC] rasmus
Fixed by Zeev
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC