Search Results

Search found 1174 results on 47 pages for 'escape'.

Page 9/47 | < Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >

  • Convert XMLDocument to String

    - by mnh
    Here is how I'm currently converting XMLDocument to String StringWriter stringWriter = new StringWriter(); XmlTextWriter xmlTextWriter = new XmlTextWriter(stringWriter); xmlDoc.WriteTo(xmlTextWriter); return stringWriter.ToString(); The problem with this method is that if I have " ((quotes) which I have in attributes) it escapes them. For Instance: <Campaign name="ABC"> </Campaign> Above is the expected XML. But it returns <Campaign name=\"ABC\"> </Campaign> I can do String.Replace "\" but is that method okay? Are there any side-effects? Will it work fine if the XML itself contains a "\"

    Read the article

  • URLScan and percent signs

    - by Hobbes
    So I just ran into a stupid problem in which users could not download files that had a percent sign in it. It wound up being URLScan. I had to un-set two things in urlscan.ini: 1) Set VerifyNormalization to 0 (disabled) 2) Remove the percent sign from the "DenyUrlSequences" section Do an iisreset, and it problem solved. But the big question is: How much of a security risk is this?

    Read the article

  • Do I have to use mysql_real_escape_string if I bind parameters?

    - by Babak
    I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql_real_escape_string in this case or am i okay?

    Read the article

  • How to preserve &amp; in <pre><code>

    - by Marcy Sutton
    I am having trouble preserving an ampersand in a code example on my blog, because all HTML entities start with &. Any tips? For example: <pre> <code> $pageTitle = str_replace('&', ' &amp;', $page->attributes()->title); </code> </pre> Renders as: $pageTitle = str_replace('&', '&', $page->attributes()->title);

    Read the article

  • Escaping single quote in PHP when inserting into MySQL

    - by hairdresser-101
    I have a perplexing issue that I can't seem to comprehend... I'm hoping someone here might be able to point me in the right direction... I have two SQL statements: - the first enters information from a form into the database. - the second takes data from the database entered above, sends an email and then logs the details of the transaction The problem is that it a appears that a single quote is triggering a MySQL error on the second entry only!!! The first instance works without issue but the second instance triggers the mysql_error(). Does the data from a form get handled differently from the data captured in a form? Query#1 - This works without issue (and without escaping the single quote) $result = mysql_query("INSERT INTO job_log (order_id, supplier_id, category_id, service_id, qty_ordered, customer_id, user_id, salesperson_ref, booking_ref, booking_name, address, suburb, postcode, state_id, region_id, email, phone, phone2, mobile, delivery_date, stock_taken, special_instructions, cost_price, cost_price_gst, sell_price, sell_price_gst, ext_sell_price, retail_customer, created, modified, log_status_id) VALUES ('$order_id', '$supplier_id', '$category_id', '{$value['id']}', '{$value['qty']}', '$customer_id', '$user_id', '$salesperson_ref', '$booking_ref', '$booking_name', '$address', '$suburb', '$postcode', '$state_id', '$region_id', '$email', '$phone', '$phone2', '$mobile', STR_TO_DATE('$delivery_date', '%d/%m/%Y'), '$stock_taken', '$special_instructions', '$cost_price', '$cost_price_gst', '$sell_price', '$sell_price_gst', '$ext_sell_price', '$retail_customer', '".date('Y-m-d H:i:s', time())."', '".date('Y-m-d H:i:s', time())."', '1')"); Query#2 - This fails when entering a name with a single quote (i.e. O'Brien) $query = mysql_query("INSERT INTO message_log (order_id, timestamp, message_type, email_from, supplier_id, primary_contact, secondary_contact, subject, message_content, status) VALUES ('$order_id', '".date('Y-m-d H:i:s', time())."', '$email', '$from', '$row->supplier_id', '$row->primary_email' ,'$row->secondary_email', '$subject', '$message_content', '1')");

    Read the article

  • Escaping single quote in PHP when inserting into MySQL

    - by hairdresser-101
    PLEASE NOTE: I am reposting as the original was not answered correctly... I AM LOOKING FOR THE WHY - NOT THE SOLUTION - I KNOW THE SOLUTION, WHAT I DON'T UNDERSTAND IS THE WHY! I have a perplexing issue that I can't seem to comprehend... I'm hoping someone here might be able to point me in the right direction... I have two SQL statements: - the first enters information from a form into the database. - the second takes data from the database entered above, sends an email and then logs the details of the transaction The problem is that it a appears that a single quote is triggering a MySQL error on the second entry only!!! The first instance works without issue but the second instance triggers the mysql_error(). Does the data from a form get handled differently from the data captured in a form? Query#1 - This works without issue (and without escaping the single quote) $result = mysql_query("INSERT INTO job_log (order_id, supplier_id, category_id, service_id, qty_ordered, customer_id, user_id, salesperson_ref, booking_ref, booking_name, address, suburb, postcode, state_id, region_id, email, phone, phone2, mobile, delivery_date, stock_taken, special_instructions, cost_price, cost_price_gst, sell_price, sell_price_gst, ext_sell_price, retail_customer, created, modified, log_status_id) VALUES ('$order_id', '$supplier_id', '$category_id', '{$value['id']}', '{$value['qty']}', '$customer_id', '$user_id', '$salesperson_ref', '$booking_ref', '$booking_name', '$address', '$suburb', '$postcode', '$state_id', '$region_id', '$email', '$phone', '$phone2', '$mobile', STR_TO_DATE('$delivery_date', '%d/%m/%Y'), '$stock_taken', '$special_instructions', '$cost_price', '$cost_price_gst', '$sell_price', '$sell_price_gst', '$ext_sell_price', '$retail_customer', '".date('Y-m-d H:i:s', time())."', '".date('Y-m-d H:i:s', time())."', '1')"); Query#2 - This fails when entering a name with a single quote (i.e. O'Brien) $query = mysql_query("INSERT INTO message_log (order_id, timestamp, message_type, email_from, supplier_id, primary_contact, secondary_contact, subject, message_content, status) VALUES ('$order_id', '".date('Y-m-d H:i:s', time())."', '$email', '$from', '$row->supplier_id', '$row->primary_email' ,'$row->secondary_email', '$subject', '$message_content', '1')");

    Read the article

  • Escaped International characters?

    - by FFish
    I am looking at some PHP code where there are translation strings. For French there are characters that I have never seen before and I am asking if someone could shed a light. These strings are used as HTML output, but also as body text to send emails. È = é Ë = è ‡ = à Í = ê ...

    Read the article

  • Dollar ($) sign in password string treated as variable

    - by ncatnow
    Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense. Turns out the password had a $ sign in it: $_DB["password"] = "mypas$word"; The password being sent was "mypas" which is obviously wrong. What's the best way to handle this problem? I escaped the $ with a \ $_DB["password"] = "mypas\$word"; and it worked. I generally use $string = 'test' for strings which is probably how I avoided running into this before. Is this correct behavious? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...

    Read the article

  • Ruby -- looking for some sort of "Regexp unescape" method

    - by RubyNoobie
    I have a bunch of strings that appear to have been double-escaped -- eg, I have "\\014\"\\000\"\\016smoothing\"\\011mean\"\\022color\"\\011zero@\\016" but I want "\014"\000"\016smoothing"\011mean"\022color"\011zero@\016" Is there a method I can use to unescape them? I imagine that I could make a regex to remove 1 backslash from every consecutive n backslashes, but I don't have a lot of regex experience and it seems there ought to be a "more elegant" way to do it. For example, when I puts MyString it displays the output I'd like, but I don't know how I might capture that into a variable. Thanks! Edited to add context: I have this class that is being used to marshal / restore some stuff, but when I restore some old strings it spits out a type error which I've determined is because they weren't -- for some inexplicable reason -- stored as base64. They instead appear to be 'double-escaped', when I need them to be 'single-escaped' to get restored. require 'base64' class MarshaledStuff < ActiveRecord::Base validates_presence_of :marshaled_obj def contents obj = self.marshaled_obj return Marshal.restore(Base64.decode64(obj)) end def contents=(newcontents) self.marshaled_obj = Base64.encode64(Marshal.dump(newcontents)) end end

    Read the article

  • windows C system call with spaces in command

    - by myforwik
    I cannot make system calls with spaces in the names and parameters. For example: system("c:\program files\something\example.exe c:\my files\example.txt"); I have tried escaping in every way I know how, and NOTHING works. I have tried: system("\"c:\program files\something\example.exe\" \"c:\my files\example.txt\""); and system("c:\program^ files\something\example.exe c:\my^ files\example.txt"); Neither work. I still get 'c:\program' is not a recongnised internal or external command This is really driving me mad... I need to call and pass parameters that have spaces in them. I cannot use the short notation for reasons I won't go into. I have tried with ' quotes instead of " quotes, still doesn't work. I have tried putting quotes around the whole thing and quotes around the spaces and that doesn't work. Does anyone know how to do it properly?

    Read the article

  • Decoding mysql_real_escape_string() for outputting HTML

    - by Peter
    I'm trying to protect myself from sql injection and am using: mysql_real_escape_string($string); When posting HTML it looks something like this: <span class="\&quot;className\&quot;"> <p class="\&quot;pClass\&quot;" id="\&quot;pId\&quot;"></p> </span> I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like: html_entity_decode(stripslashes($string));

    Read the article

  • mysql_real_escape_string() just makes an empty string?

    - by James P
    I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code: <?php // Some config stuff define(DB_HOST, 'localhost'); define(DB_USER, 'root'); define(DB_PASS, ''); define(DB_NAME, 'quicklike'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error()); $sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error()); $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg'])); $timeStamp = time(); if(empty($likeMsg)) die('ERROR: Message is empty'); $sql = "INSERT INTO `likes` (like_message, timestamp) VALUES ('$likeMsg', $timeStamp)"; $result = mysql_query($sql, $link) or die('ERROR: ' . mysql_error()); echo mysql_insert_id(); mysql_close($link); ?> The problematic line is $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg']));. It seems to just return an empty string, and in my database under the like_message column all I see is blank entries. If I remove mysql_real_escape_string() though, it works fine. Here's my jQuery code if it helps. $('#like').bind('keydown', function(e) { if(e.keyCode == 13) { var likeMessage = $('#changer p').html(); if(likeMessage) { $.ajax({ cache: false, url: 'like.php', type: 'POST', data: { likeMsg: likeMessage }, success: function(data) { $('#like').unbind(); writeLikeButton(data); } }); } else { $('#button_container').html(''); } } }); All this jQuery code works fine, I've tested it myself independently. Any help is greatly appreciated, thanks.

    Read the article

  • Java: Ignoring escapes when parsing XML

    - by Personman
    I'm using a DocumentBuilder to parse XML files. However, the specification for the project requires that within text nodes, strings like " and < be returned literally, and not turned into the corresponding ASCII values. A previous similar question, http://stackoverflow.com/questions/1979785/read-escaped-quote-as-escaped-quote-from-xml, received one answer that seems to be specific to Apache, and another that appears to simply not not do what it says it does. I'd love to be proven wrong on either count, however :) For reference, here is some code: file = new File(fileName); DocBderFac = DocumentBuilderFactory.newInstance(); DocBder = DocBderFac.newDocumentBuilder(); doc = DocBder.parse(file); NodeList textElmntLst = doc.getElementsByTagName(text); Element textElmnt = (Element) textElmntLst.item(0); NodeList txts = textElmnt.getChildNodes(); String txt = ((Node) txts.item(0)).getNodeValue(); System.out.println(txt); I would like that println() to produce things like &quot;3&gt;2&quot; instead of "3>2" which is what currently happens. Thanks!

    Read the article

  • mysqli real_escape_string problem

    - by tridat
    When im inserting to the database on my dev server the text goes in fine, for example "that's" is "that's" in the db. when uploading the exact same code to production server (hosted on a reseller account at bluehost) "that's" becomes "that\'s", im not double escaping, its exactly the same code, what could be the issue here?

    Read the article

  • Store data in DB as is, or escaped?

    - by Yegor
    Whats a better way to store textual data, such as comments, user profile fields that require them to type something in, etc? Store the escaped data right away (using htmlspecialchars in php for example), or put it thru the same function before its echoed out?

    Read the article

  • Problem when reading backslash in Prolog

    - by Jerry
    I'm writing a lexer in Prolog which will be used as a part of functional language interpreter. Language spec allows expressions like for example let \x = x + 2; to occur. What I want lexer to do for such input is to "return": [tokLet, tokLambda, tokVar(x), tokEq, tokVar(x), tokPlus, tokNumber(2), tokSColon] and the problem is, that Prolog seems to ignore the \ character and "returns" the line written above except for tokLambda. One approach to solve this would be to somehow add second backslash before/after every occurrence of one in the program code (because everything works fine if I change the original input to let \\x = x + 2;) but I don't really like it. Any ideas?

    Read the article

  • Escaping quotes twice in PHP

    - by Genadinik
    Hello, I have a complicated form where I first have to take some _GET parameters and obviously I have to do a mysql_real_escape_string() on them since I look stuff up in the database with them. Them problem for me is after the initial db lookup. When the user submits a form, I send them along as a _POST request and obviously have to do this mysql_real_escape_string call again just in case someone tries to hack my site with a faked form submission. Then the problem I have is the arguments are escaped twice and my queries begin to look strange like this: select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ... So the system seems to be adding \' and it is messing me up :) Also, in my other forms I have not seen such behavior. Any ideas on what may be causing this? One weird thing is that I tried to send unescaped parameters to the post, and the same problem happens. That is a clue, but not a sufficient one for me. :( Thanks, Alex

    Read the article

  • Why does this properly escaped SQL query fail?

    - by Jason Rhodes
    Here's the query: INSERT INTO jobemails (jobid, to, subject, message, headers, datesent) VALUES ('340', '[email protected]', 'We\'ve received your request for a photo shoot called \'another\'.', 'message', 'headers', '2010-04-22 15:55:06') The datatypes are all correct, it always fails at the subject, so it must be how I'm escaping the values, I assume. I'm sure one of you will see my idiot mistake right away. A little help?

    Read the article

  • Unicode escaping in C/C++

    - by Geo
    Hi guys! I'm having a dispute with a colleague of mine. She says that the following: char* a = "\x000aaxz"; will/can be seen by the compiler as "\x000aa". I do not agree with her, as I think you can have a maximum number of 4 hex characters after the \x. Can you have more than 4 hex chars? Who is right here?

    Read the article

  • mysql_real_escape_string & slashes (again, oh yes)

    - by Fizzadar
    Righto, firstly magic quotes & runtime are disabled correctly in php.ini, and confirmed by phpinfo(). PHP version: 5.3.4 MySQL version: 5.1.52 I'm only use mysql_real_escape_string on the data, after htmlspecialchars and a trim, that's all the data cleaning on the variable. Yet, when I submit a single quote, the slash remains in the database. When running mysql_query I'm using "' . $var . '", although in the past this hasn't changed anything (could be due to the double quotes?). Any ideas? and please don't tell me about PDO/prepared statements, I'm aware of them and I have my reasons for doing it this way. Thanks!

    Read the article

< Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >