php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #3088 addslashes doesn't work properly
Submitted: 2000-01-03 09:54 UTC Modified: 2000-03-15 02:12 UTC
From: guus at madocke dot nl Assigned:
Status: Closed Package: MSSQL related
PHP Version: 3.0.11 OS: Win NT 4
Private report: No CVE-ID: None
 [2000-01-03 09:54 UTC] guus at madocke dot nl
I am using a script for a discussiongroup (Phorum). I translated this script for use with MS SQL server. Everything works fine, except that when you use a single quote, you get an errormessage like:

Warning: MS SQL message: Line 1: Incorrect syntax near 'mdsjbf'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL message: Unclosed quote before the character string ', 1)'. (severity 15) in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54

Warning: MS SQL: Query failed in D:\www.bestemming2005.mad\KPNrvbProgram\ui\forum\post.php3 on line 54
- insert Into Algemeen (id, name, email, datestamp, topic, body, host, thread) values (7, 'Guus', 'guus@madocke.nl', '2000-01-03 15:42:53', 'RE: Test 4', 'dsfsdfs\'mdsjbf', ' ', 1)

The problem is obvious in the last line 'dsfsdfs\'mdsjbf'. Where \' is still seen as a '. When the script is ran on Linux / MySQL the problem doesn't exist. 

		if($MagicQuotes!=1){
			$name = addslashes($name);
			$email = addslashes($email);
			$topic = addslashes($topic);
			$body = addslashes($body);
		}

		$date = date("Y-m-d H:i:s");
		$host = getenv('REMOTE_HOST');
		/* $host = @GetHostByAddr($host); */
		$host = " ";
		$name = htmlspecialchars($name);
		$email = htmlspecialchars($email);
		$topic = htmlspecialchars($topic);
		$body = htmlspecialchars($body);
		
		if($UseCookies==1){
			if((!IsSet($$cNameVar)) || ($$cNameVar != $name)) {
				SetCookie("$cNameVar",$name,time()+ 31536000);
			}
			if((!IsSet($$cEmailVar)) || ($$cEmailVar != $email)) {
				SetCookie("$cEmailVar",$email,time()+ 31536000);
			}
		}
		
		/* ophogen id-counter */
		$idresult = mssql_query("select max(id) as maxid from $sTable");
		$id = mssql_result($idresult,0,'maxid');
		$id++;
		
		$sSQL = "insert Into $sTable (id, name, email, datestamp, topic, body, host, thread) values ($id, '$name', '$email', '$date', '$topic', '$body', '$host', $thread)";

Because the dos-and-donts file could not be found on your server, i hope i provided you with all the right information. If not please feel free to ask for all the info you need.

Kind regards and a happy new year!
Guus Sprokkereef

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-03-15 02:12 UTC] fmk at cvs dot php dot net
The MS SQL server does not use \ as escape char for '. You have to use '' if you want to insert a ' in the database.

you could try $data = str_replace"'", "''", $data);

- Frank
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Dec 07 09:03:35 2021 UTC