I am passing this via POST:
SELECT * FROM tbltesting WHERE (upper(title) LIKE '%2006%') OR (upper(category) LIKE '%2006%')
But when I echo it after being passed, it looks like this:
query: SELECT * FROM tbltesting WHERE (upper(title) LIKE \'%2006%\') OR (upper(category) LIKE \'%2006%\')
Obviously this doesn't work because of the extra slashed. How do I prevent this from happening?
2007-08-06 09:09:49 · 6 answers · asked by brisbane15 2 in Computers & Internet ➔ Programming & Design
Not sure what 'pot' is that your referring too. I need to pass this via POST, and I know there is a way to manipulate the sting so it won't auto escape certain variables...but I can't think what it is.
2007-08-06 09:22:41 · update #1
EWANG - do not have access to modify server settings
AnalProgrammer - Not using the URL to pass variable, plus, it would strip out % initially, which I need in the end
Sonny
2007-08-06 09:35:36 · update #2
Quick answer is stripslashes() , but, as said you should pass the variables through your urlquery not the whole mysql query through the url.
Reason you dont want to do this is all someone has to do is change the string to
SELECT * FROM tbltesting WHERE (upper(title) LIKE '%2006%') OR (upper(category) LIKE '%2006%'; DELETE FROM tbltesting; as the url query
2007-08-06 10:11:09 · answer #1 · answered by Big D 4 · 0⤊ 0⤋
try adding this to the top of your file:
this should turn off magic_quotes_gpc without access to php.ini (I'm not sure if it works in all versions of php)
edit: on second thought I'm pretty sure ini_set wont work for magic_quotes. You'll need to disable magic_quotes through a .htaccess file
the following line should do it:
php_value magic_quotes_gpc 0
if the .htaccess file is in the site root directory that should disable magic_quotes for the entire site
2007-08-06 09:50:59 · answer #2 · answered by Renegade 2 · 1⤊ 0⤋
You are better off passing the variables through pot, and then creating the string on receiving them. Post and get are much better used to pass smaller variables.
2007-08-06 09:18:16 · answer #3 · answered by Anonymous · 2⤊ 0⤋
try this:
SELECT * FROM `tbltesting` WHERE (UPPER(`title`) LIKE '%2006%') OR (UPPER(`category`) LIKE '%2006%')
but i think the problem isn't syntax, It's from other line of ur code
2007-08-06 09:26:42 · answer #4 · answered by Sonny 1 · 1⤊ 1⤋
Turn off the magic quote settings in php.ini, and then restart web server.
magic_quotes_gpc = Off
2007-08-06 09:24:43 · answer #5 · answered by EWANG 2 · 1⤊ 1⤋
Try the urlencode and urldecode functions.
Details below.
2007-08-06 09:25:24 · answer #6 · answered by AnalProgrammer 7 · 2⤊ 0⤋