Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
DB::update escaping special characters.
  • georgerobinsongeorgerobinson
    Hello, I'm building an interface to write and edit articles on a project I'm currently working on. Of course, I'm filtering the input and encoding special characters. The problem is, I think FuelPHP is encoding all chars going into the database regardless - so my blog titles end up as something along the lines of: \'Hello World\' this is a blog title. What would be the best solution?
  • michael_bendermichael_bender
    Was there ever any resolution here? I'm getting some odd behavior here also. I'm using PHP 5.4 with magic quotes setting off anyways. If I forge() a new model data goes into db fine. However, if I then modify a parameter on the model and save() it all fields that had " in them in the database now get turned into & q u o t ; (sorry for spacing could get it to show up in forum)
  • michael_bendermichael_bender
    Didn't actually have the .htaccess setting correct for turning off magic quotes. That fixed my problem.
  • HarroHarro
    FuelPHP's DB layer doesn't encode anything, so it must be something in your code. Maybe your filtering and encoding? FuelPHP by default doesn't encode on input, to make sure nothing goes into the database altered, but encodes on output.
  • Jelmer SchreuderJelmer Schreuder
    This also happens on servers with magic quotes enabled... (which are deprecated, should be disabled and we don't support them enabled)
  • georgerobinsongeorgerobinson
    Sorry, encoding was the wrong term. It is escaping all special characters. "Fuel also encodes the URI to prevent nasty surprises when using URI segments, and escapes everything going into the database." http://docs.fuelphp.com/general/security.html Which is why all my special characters have a \ in front of them.
  • ceframcefram
    If you really need to turn off the automatic escaping of all characters, you could use DB::query() instead and place your own SQL statement there. BTW, are you escaping your input data before using DB::insert() or DB::update()? If yes, It's unnecessary since FuelPHP does that job when using DB::insert() and DB::update();
  • georgerobinsongeorgerobinson
    Nope, I'm not escaping anything prior to that. It is only html entities and characters such as ' which get escaped to \'. Does Markdown for example, ignore all escaped characters when it is a parsing a string?
  • HarroHarro
    Quotes HAVE to be escaped, otherwise you can't get the data into the database. Have you checked the magic quotes setting as Jelmer suggested, as it is the most likely cause?
  • georgerobinsongeorgerobinson
    Magic quotes are disabled and are actually no longer present in PHP 5.4.0
  • HarroHarro
    Weird. I don't know of any other mechanism that will escape quotes. Which database and database driver are you using?
  • georgerobinsongeorgerobinson
    MySQL with MySQLi driver (:
  • HarroHarro
    Same as used by most people, including myself in most of my projects, and in our Depot project. I've never seen this behaviour, and if it was FuelPHP code related, I guess this forum would be flooded with complaints. So I settle for something local to your environment or your application. Question is what? Can you setup a new environment, fresh FuelPHP install, and add a DB::insert() and DB::select() to the welcome controller, to rule out anything in your code?
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion