is compatible Fix_Quotes() with $db->sql_insert ?
Forum FAQForum FAQ   SearchSearch   Log in to check your private messagesLog in to check your private messages   LoginLogin
Post new topic   Reply to topic   Printer Friendly Page     Forum IndexExplain Please
View previous topic :: View next topic  
Author Message
greenday2k
Forum Admin


Joined: Aug 11, 2005
Posts: 484
Location: CO
PostPost subject: is compatible Fix_Quotes() with $db->sql_insert ?
Posted: Fri Jul 17, 2009 1:55 am		 Reply with quote
I'm using:

$db->sql_insert($prefix.'_tablename', $array_insert);

To insert new values to the database. But i'm having issues
when "prepare" a string wich is BBcode & HTML with Fix_Quotes();

For exampple:

Input Value:

Code:
html<b>bold</b>

<br /> break line <hr />



BBcode [b]code[/b]


[hr]


<hr />


end;

PHP:

// Get the Var, Fix Quotes
$array_insert['html_bbcode_textfield']=Fix_Quotes($_POST['html_bbcode_textfield']);

$array_insert['another_field] = intval($_POST['int']);

$db->sql_insert($prefix.'_tablename, $array_insert);

now when i try output the file:

PHP:


$row =$db->sql_query('SELECT myhtmlbbcodefield FROM '.$prefix."_table WHERE id='aNumber'");

echo decode_bb_all($row['myhtmlbbcodefield'], 1, true);

and my Output appears full of "\r\n\" (for the line breaks)

Code:
html<b>bold</b>\r\n<br /> break line <hr />\r\n\r\nBB <span style="font-weight: bold">code</span>\r\n\r\n\r\n<hr />\r\n\r\n\r\n<hr />\r\n\r\nend;

even using an extra nl2br() not solves the problem.

BUT, i when i insert the same the same with the same var using the "classic" method
PHP:

Fix_Quotes($myhtmlbbcodefield);
$db->sql_query('INSERT TABLE VALUES  ('$myhtmlbbcodefield')');

and use the same Output controls:
PHP:


$row =$db->sql_query('SELECT myhtmlbbcodefield FROM '.$prefix."_table WHERE id='aNumber'");

echo decode_bb_all($row['myhtmlbbcodefield'], 1, true);

The output is correct (normal):
Code:
html<b>bold</b>

<br /> break line <hr />



BBcode <span style="font-weight: bold">code</span>


<hr />


<hr />


end;


Code:
function sql_insert($table, $fields, $bypass_error=false)
	{
		if (is_array($fields) && !empty($fields)) {
			foreach ($fields AS $field => $value) {
				$qfields[] = $field;
				$qvalues[] = "'".$this->escape_string($value)."'";
			}
			return $this->sql_query('INSERT INTO '.$table.' ('.implode(', ', $qfields).') VALUES ('.implode(', ', $qvalues).')', $bypass_error);
		}
		return false;
	}

after, researching a little, seems that
$db->sql_insert (on includes/db/db.php ) uses
mysql_escape_string (); and the "incompatibility" starts

(on includes/db/mysql.php )
Code:
function escape_string($str)	  { return (PHPVERS >= 43) ? mysql_real_escape_string($str) : mysql_escape_string($str); }

Seems that mysql_real_escape_string() prepare the data to be inserted on the DB.

Is it safe to use $db->sql_insert without using Fix_Quotes to avoid this issue?


*** tested with:
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
Linux and Win: Apache 2 / php 5 / MySQl 5
***
Thanks.
_________________
www.greenday2k.net



greenday2k's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Back to top
View user's profile Visit poster's website MSN Messenger Yahoo Messenger
Phoenix
Site Admin


Joined: Apr 19, 2004
Posts: 8729
Location: Netizen
PostPost subject: Re: is compatible Fix_Quotes() with $db->sql_insert ?
Posted: Fri Jul 17, 2009 2:07 am		 Reply with quote
PHP:
decode_bb_all(encode_bbcode($content), 1, true)
Assumes you also have
PHP:
require_once(CORE_PATH.'nbbcode.php');

Phoenix's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Back to top
View user's profile Visit poster's website
greenday2k
Forum Admin


Joined: Aug 11, 2005
Posts: 484
Location: CO
PostPost subject: Re: is compatible Fix_Quotes() with $db->sql_insert ?
Posted: Fri Jul 17, 2009 4:03 pm		 Reply with quote
Thanks Phoenix. I've tried you suggestion.
But if i use this to manage the input:

PHP:

$array_insert['html_bbcode_textfield']=Fix_Quotes($_POST['html_bbcode_textfield']);

$array_insert['another_field] = intval($_POST['int']);

$db->sql_insert($prefix.'_tablename, $array_insert);
and on the output side:
PHP:

decode_bb_all(encode_bbcode($content), 1, true)

i'm still getting the "\r\n\r\n\r\".


I've tested the same procedure on
admin/modules/blocks on function BlocksAdd() where the
$db->sql_insert($prefix.'_tablename', $array_insert);
method is used but without using Fix_Quotes.

I've edited to pass $insert['content'] trough Fix_Quotes ( $insert['content']) and then the content of new custom/html blocks appears fulls of line break errors "\r\n\r\n\r\".

The problem arises when a var passed trough Fix_Quotes is passed trough mysql_real_escape_string() / mysql_escape_string() (used on $db->sql_insert & $db->sql_update)
_________________
www.greenday2k.net



greenday2k's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Back to top
View user's profile Visit poster's website MSN Messenger Yahoo Messenger
NanoCaiordo
Developer


Joined: Jun 29, 2004
Posts: 3677
Location: Melbourne, AU
PostPost subject: Re: is compatible Fix_Quotes() with $db->sql_insert ?
Posted: Sun Jul 26, 2009 5:01 am		 Reply with quote
$db->sql_insert uses "$this->escape_string()"

Fix_quotes uses "sql_escape_string"

function sql_escape_string($string) { return $this->escape_string($string); }

By using Fix_Quotes and sql_escape_string your string is being sanitized twice

Basically use sql_insert if u don't require any extra security check like I do in Blocks.

Use Fix_Quotes in all users input generated strings.

Hope it helps.
_________________
.:: I met php the 03 December 2003 :: Unforgettable day! ::.

NanoCaiordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
MySQL 5.1 / PHP 5.3 / NextGen()
Back to top
View user's profile Visit poster's website
greenday2k
Forum Admin


Joined: Aug 11, 2005
Posts: 484
Location: CO
PostPost subject: Re: is compatible Fix_Quotes() with $db->sql_insert ?
Posted: Sun Jul 26, 2009 5:23 am		 Reply with quote
Understood. Thanks nano.
_________________
www.greenday2k.net



greenday2k's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Back to top
View user's profile Visit poster's website MSN Messenger Yahoo Messenger
Display posts from previous:   
Post new topic   Reply to topic   Printer Friendly Page     Forum IndexExplain Please All times are GMT
Page 1 of 1


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Dedicated Server & Bandwidth Sponsored by DedicatedNOW
User Info [x]

Welcome Anonymous
Nickname
Password
(Register)

Last CVS commits [x]

Languages [x]

Community [x]

Support for DragonflyCMS in a other languages:

Deutsch
Español

X-links [x]
UltraEdit Browse Happy logo Firefox MySQL PostgreSQL Valid CSS! Valid XHTML 1.0! Unicode Encoded Badge NukeBiz Resources Raven DragonflyCMS Dedicated Now InsideSupport Lampe Berger

Preview theme [x]
Each user can view the site with a different theme.
Themes marked with a * also change the forum look.


You are seeing squares or questionmarks on this page?

All content of this website is copyrighted by the Creative Commons NC-SA
The logos and trademarks used on this site are the property of their respective owners
We are not responsible for comments posted by our users, as they are the property of the poster.
Our server runs on a P3 1.2GHz with 512MB RAM with no accelerators
Support GoPHP5.org
This page generated in 1.1182 seconds with 16 DB Queries in 0.0316 seconds
Memory Usage: 2.91 MB
Interactive software released under GNU GPL, Code Credits, Privacy Policy