Skip to main content
A
Addos Adams
Participant
February 26, 2013
Question

Double Backslashes all of a sudden.

  • February 26, 2013
  • 1 reply
  • 672 views

Magic Quotes disabled and PHP version 5.2.17 Using CS5 to help build PHP queries. I spoke to the hosting company today and they say nothing has changed at their end.

I have a very frustrating problem that I have tried to solve all day but cannot.

I have a site that all of a sudden 3 of the forms are entering backslashes into the database and I cannot find out why. I understand that quotes are escaped with a single backslash but when I output the $updateSQL query I can see in ‘source view’ for example the following:

UPDATE home_r  SET home_r_details='style=\\\"text-align: center;\\\"><img src=\\\"../../image_home/toms.jpg\\\" alt=\\\"\\\" width=\\\"116\\\" height=\\\"116\\\" />
I have also tried this locally by downloading the entire DB and running queries and they are all giving me the same problem as the live site. I have tried rebuilding some of the DB tables in case they are corrupt but again no luck. This form is just populated by a simple query and has no ‘Post’ values passed to it. The main update query I’m using is the CS5 PHP version here:
 if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }
   $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
   switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);} 
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE home_r  SET home_r_details=%s WHERE id=%s",
                       GetSQLValueString($_POST['home_right_details'], "text"),
                       GetSQLValueString($_POST['id'], "int"));
  mysql_select_db($database_+++++, $+++);
  $Result1 = mysql_query($updateSQL, $+++++) or die(mysql_error());
  
Now what makes this more frustrating is that I have a similar form that is working perfectly however this one does use a Post value but I can’t see how that might be an issue however I thought I’d point this out here.
 
$colname_Getblogupdate = "1";
if (isset($_GET['id'])) {
  $colname_Getblogupdate = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
}
mysql_select_db($database_++++++, $+++++);
$query_Getblogupdate = sprintf("SELECT * FROM blog WHERE id = %s", $colname_Getblogupdate);
$Getblogupdate = mysql_query($query_Getblogupdate, $+++++) or die(mysql_error());
$row_Getblogupdate = mysql_fetch_assoc($Getblogupdate);
$totalRows_Getblogupdate = mysql_num_rows($Getblogupdate);

So I’m really stumped by this and have run out of things to try. With security at the forefront I’m not taking changes so any help would be appreciated. I can’t see if there has been any major updates but possible there have so if anyone can suggest what might be causing this I’d be most grateful. All these Forms and queries are under a login and are just for a client to administer things.

Many thanks

This topic has been closed for replies.

1 reply

B
bregent
Participating Frequently
February 27, 2013

Can you examine the contents of

$_POST['home_right_details']

to see if it's coming that way from the form, or being added by the php script?

A
Addos AdamsAuthor
Participant
February 27, 2013

Thanks for the reply.

When I insert "john" into the text area I get the following:

$_POST['home_right_details']; returns \"john\"

$updateSQLreturns  UPDATE home_right SET home_right_details='\\\"john\\\"' WHERE id=1

This code is completely generated by CS5 and I have made no customiations and this is why it's so srtange.

Thanks

A
Addos AdamsAuthor
Participant
February 27, 2013

Something I have just discovered and fixed this issue albeit not satisfactorily.

I have these forms on a Cartweaver website and they have been there since 2009 and working away up until recently. The forms are under the CW3 folder so the path to these forms are CW3/admin/myforms.php I tried removing one of these forms to under the root folder and it worked and didn't add any extra backslashes. I have no idea why though and think it might be to do with the php.ini file that I read about over the last few days. What is your opinion on why this has stopped working in a folder that's not in the root and is there anything I can do as I was using the login security of CW for these forms (as well as the CW page layouts) and would hate to have to redo them all with a separate login.

At lesast the code is fine by the looks of things but it's odd that the ones that comes from a 'Post' array work where as a simple UPDATE' form doesn't.

Maybe there have been changes to PHP on the server that I don't know about but I have about 60 sites and hope this is not going to happen to them all!

Thanks

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices