1

I am taking an XML to load into a database, but the feed comes fully loaded with apostrophes! What would be the best way to capture these as they are making the whole system go whoopy and not input as intended?

For example, instead of Wolverhampton, I am given W'Hampton, which then goes into the table as W, nightmare!

I have spent quite some time trying to work this out, look on Google and on here with no luck so anyone who can help me really is the best!

  • Could you show what you are using to extract the XML (assuming you are doing that) and what your code looks like to build your query. – BA_Webimax Mar 23 '15 at 16:16
  • 1
    Are you escaping your query? Can you post your code? – Mathew Tinsley Mar 23 '15 at 16:16
  • 1
    I'm afraid I can't, the XML feeds in AJAX and the query is built there too, and also for security I cannot share the code. Aplogies –  Mar 23 '15 at 16:17
  • Luckily you've found out that the code does not work as intended. That means you've overlooked something. Embrace the mistake you've made and take it as an opportunity to learn about SQL-injection - because what you face is SQL-injection. – hakre Mar 23 '15 at 19:22
  • 1
    Well, yes, "for security reasons" you can't excerpt the code. Dream on. The security issue you have is the code, and hiding it will make it worse. Instead create a new example from scratch that demonstrates your issue exemplary with as little code and data as necessary. – hakre Mar 23 '15 at 19:23

1 Answers1

-1

Edit

As commented below, it would be more secure to use mysqli_real_escape_string() to escape the string.

Use addslashes() and stripslashes().

These functions are described in the PHP Manual here: http://php.net/manual/en/function.addslashes.php
http://php.net/manual/en/function.stripslashes.php

Michiel Pater
  • 22,377
  • 5
  • 43
  • 57
  • 1
    `Addslashes()` escapes everything in a string using backslashes while `stripslashes()` returns the initial string from an escaped one. – Michiel Pater Mar 23 '15 at 16:22
  • 2
    I certainly will, it's just saying I have to wait a minute first :) –  Mar 23 '15 at 16:26
  • 1
    Using `addslashes()` to escape values for SQL is dangerous. Use the database specific escaping method (`mysqli_real_escape_string()`) or even better prepared statements. Here is no need for `stripslashes()` at all. If done right the database will return the original value on read. – ThW Mar 23 '15 at 17:30
  • Yes this is the ***wrong*** answer. The question speaks worlds about not understanding what is important and an "answer" should outline this. But then it would be more as of a comment and not an answer. – hakre Mar 23 '15 at 19:21
  • As commented, you can't escape from creating a comment here. Not an answer. Better is to remove it (really). – hakre Mar 23 '15 at 19:24
  • @hakre I cannot remove my answer, because it has been accepted. – Michiel Pater Mar 23 '15 at 19:26
  • You can flag it for moderator attention saying you want to remove it (if you really want your own, I don't want you to feel pressed, just saying how it *could* work). Something you can do your own is for example just link to the SQL injection reference question. From the OP it's not clear whether or not this is about mysql (nor anything else). Next to that the question even speaks like this would be a problem with XML, but it's just about doing correct database interaction. That's not your problem, it's just the context your answer is in. For the bigger picture. – hakre Mar 23 '15 at 19:29