[ale] [OT] .php logic problem

Ronald Chmara ron at Opus1.COM
Thu Aug 7 14:48:11 EDT 2003 

On Thursday, August 7, 2003, at 02:02  PM, James P. Kinney III wrote:
> IANAPHPE (I am not a PHP expert).
> It looks to me that you need some logic code to handle the \' issue.
> if character_before(') eq "\" do_nothing else sed s/'/\'/
> Now the character_before function I can do in perl with string 
> counting.
> No clue how to do this in php.

http://www.php.net/manual/en/function.strpos.php

> On Thu, 2003-08-07 at 13:51, ChangingLINKS.com wrote:
>> I have spent a lot of time on a weird php problem.
>> I am trying to make sure that the ' character is always escaped in my
>> database.
>> * I do not have the ability to configure the server.
>> * I do not know or care to know if magic_quotes_gpc is ON
>> Â’
>> * htmlspecchar is not an option
>>
>> I am using a form to update a field in the table.
>> 1. If I use addslashes over and over like this:
>> 		$description = addslashes($description);
>> 		each time I click "update" it adds more and more slashes. (\\\\')

Ayup. Quite amusing, ain't it?

>> 2. If I stripslashes and addslashes like this:
>> 		$description = stripslashes($description);
>> 		$description = addslashes($description);
>> 		this results in ' (no slashes) (why?)

Make sure you read:
http://bugs.php.net/bug.php?id=15711

There is a bit of confusion about how addslashes is supposed to work....

>> 3. If I try getting fancy, I get lost like this:
>> 		$description = stripslashes($description);
>> 	 	$description = ereg_replace("'", "3edc1", $description);
>> 	 	$description = ereg_replace("3edc1", "'", $description);
>> 		$description = addslashes($description);
>> 		this still results in ' (no slashes)

FWIW, ereg and preg are horrid, vile, despicable CPU wasters for 
something this simple. Did I mention they're big, too? :-) It's not 
perl, it's PHP, there are tons of string functions so you can avoid 
regexps....

http://www.php.net/manual/en/function.str-ireplace.php
http://www.php.net/manual/en/function.str-replace.php
http://www.php.net/manual/en/function.strtr.php

Are *all* much faster. I know it doesn't help your problem, I just 
dislike seeing slow code. :-)

>> 4. My goal is to always end up with \' in the database after I update
>> 		How do I do that?

Well, what I generally do is have one "screen" variable, and one db 
variable. Depending on the db, I like to use:
http://www.php.net/manual/en/function.mysql-escape-string.php
http://www.php.net/manual/en/function.pg-escape-string.php
(etc.)

The addslashes function isn't super-bright about db-specific quote and 
character issues, which is why there are separate PHP functions for 
each db. Typically, my code looks like:
<?php
$screendescription = stripslashes("$description");
$dbdescription = pg_escape_string("$screendescription");
// etc...
?>

A totally odd side thought:
Perhaps your db viewing method is stripping out the "\'", so the insert 
*is* slashing, but you're not aware of it? Or PHP is slashing, but 
evaluating to screen (via echo) in unpected ways (see above bug)....

Or am I misreading, and you're *not* trying to store "O'brien" in the 
database, but "O\'brien", in which case you want to be inserting 
"O\\\'brien"?

-Bop
Ronald Chmara
Ronin Professional Consulting LLC
520-326-6109
"I  can see you're really upset about this.  I honestly think you ought 
to sit down calmly, take a stress pill and think things over." --Hal.

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list