Thread: Help with urlencode and rawurlencode

Help with urlencode and rawurlencode

From

"Duncan Adams (DNS)"

Date:

14 October 2002, 14:31:16

Hi all

I have a sql query that needs to be feed to a php page

......host_table.hostname ilike '%omc%' order by......

but when i use urlencode or rawurlencode on it i get the following.

......host_table.hostname ilike \'%omc%\' order by....
                                ^      ^
on the next page.

it needs to be encoded as it is part of an javascript operation.

Why is it doing this and how does one get around it.

Thanx

duncan

Re: Help with urlencode and rawurlencode

From

Justin Clift

Date:

14 October 2002, 15:21:03

"Duncan Adams (DNS)" wrote:
<snip>
> ......host_table.hostname ilike \'%omc%\' order by....
> on the next page.

It sounds like you have the PHP variable "magic_quotes_gpc" set On in
your "php.ini" configuration file.  If you turn this off (can't remember
if it's possible with a function) then it will probably fix your
problem.

:-)

Regards and best wishes,

Justin Clift

<snip>
> duncan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
   - Indira Gandhi

Re: Help with urlencode and rawurlencode

From

"Duncan Adams (DNS)"

Date:

14 October 2002, 15:31:03

shot, that did the trick, thanx.

-----Original Message-----
From: Justin Clift [mailto:justin@postgresql.org]
Sent: Monday, October 14, 2002 6:21 PM
To: Duncan Adams (DNS)
Cc: PGSQL
Subject: Re: [PHP] Help with urlencode and rawurlencode


"Duncan Adams (DNS)" wrote:
<snip>
> ......host_table.hostname ilike \'%omc%\' order by....
> on the next page.

It sounds like you have the PHP variable "magic_quotes_gpc" set On in
your "php.ini" configuration file.  If you turn this off (can't remember
if it's possible with a function) then it will probably fix your
problem.

:-)

Regards and best wishes,

Justin Clift


<snip>
> duncan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
   - Indira Gandhi

SQL-injection attack? (Re: Help with urlencode and rawurlencode)

From

knut.suebert@web.de

Date:

16 October 2002, 18:53:14

Justin Clift schrieb:
> "Duncan Adams (DNS)" wrote:
> <snip>
> > ......host_table.hostname ilike \'%omc%\' order by....
> > on the next page.
>
> It sounds like you have the PHP variable "magic_quotes_gpc" set On in
> your "php.ini" configuration file.  If you turn this off (can't remember
> if it's possible with a function) then it will probably fix your
> problem.

Had the same problem here a few minutes ago. If you don't want to turn
off magic_quotes_gpc globally (for most things it is very useful,
IMHO), try "stripslashes()" for problematic strings.

I'm not sure, but stripping slashes could offer a possibility of
inserting "SQL-injection" attacks. Think about "'; delete from table
xyz; select '" typed into a search field. More complicated queries to
get the table names of a db could be possible. Maybe it helps, if
queries containing a ";" are rejected.

Knut Sübert