I am working on a JavaScript app, in which I am preparing my data replacing tabs with spaces using RegEx in the frontend:
str = str.replace(/\t+/g, " ");
So
'tabbed title'
becomes
'tabbed title' and so on and so forth
This is then passed to an express route which then sends the data to my MySQL database via a stored procedure, utilizing the escape() method from the Javascript MySQL sdk
The issue is, when passing a string where tab characters have been replaced with spaces after the RegEx, the title is being stored in the database as 'tabbedtitle'
When entering 'tabbed title' normally, with spaces entered via my keyboard, the space is preserved. After the RegEx transform, it is not. It seems like SQL is doing something under the hood, or the " " in my RegEx is not a traditional space character (even though in all my of my research it appears it is a regular space)
I've confirmed I am indeed passing 'tabbed title' to the db from express, and there is nothing transforming the data inside my SP. I've even tried entering a utf-8 space \u0020 rather than " " in my RegEx, but the problem perists
Instead of replacing tabs with a space maybe replace them with a hyphen or some other non-whitespace character? Might help narrow it down
Related
I'm just running a query and forming a JSON string in cfloop.
For some values that are formed within JSON, I see some bogus extra characters at the end. At first, I suspected them to be white spaces or tabs but adding a Trim(name) did not work.
"first_name":"Jon "
When I copied the string over to Notepad++ and converted it to utf-8, Here is what I am seeing:
"first_name":"Jon **xA0**"
I am not sure what that xA0 means here. Is there any way to supress this?
Thanks.
Try replacing with this
<cfset lastname = replacelist(lastname, chr(160), '')>
I am concerned about inserting text in a MySQl table w.
I have to insert/update text that contains characters such as / " and '
The escape character / could be inserted only if the NO_BACKSLASH_ESCAPES SQL mode is enabled. wich interfere with the characters " and ' see this link http://dev.mysql.com/doc/refman/5.1/en/string-literals.html#character-escape-sequences
If anyone can explain to is in earth the mysql_real_escape_string() I don't came to understated
I would like to find a pure mysql solution
I am not using php. What I am trying to do here is to "simulate " Content Management System: I am about to write a C# coded solution that manage the content in its different forms(article, category ,tag, etc..) and generate .html files, the MySQl database is local in my computer next i will upload the .html files to the server.
I did this to ensure that all my html pages are html valid and because I don't trust any existent solutions (not only when it concerns coding but in life in general)
Please help
each php db connection extension (mysql, mysqli, pdo) has a special way to safe query against sql injections, when you are using mysql extension, it's strongly recommended to use mysql_real_escape_string() function to make safe all variables used in query, it's most widely used function. i think there isn't any pure solution (when you are using mysql extension in php).
from php.net:
mysql_real_escape_string()-Escapes special characters in the
unescaped_string, taking into account the current character set of the
connection so that it is safe to place it in a mysql_query().
Whatever string data can be inserted into SQL query, if formatted according to 2 rules
it is enclosed in quotes (preferably single ones)
it is passed through mysql_real_escape_string()
if both rules followed, there would be not a single problem with whatever characters, either slashes, quotes or anything.
According to your question, / has no special meaning in MySQL. It's \ that is escape character. It can be escaped by another backslash as well.
$str = 'slashes \ quotes \' or whatever " else symbols';
var_dump($str);
$str = mysql_real_escape_string($str);
$sql = "INSERT INTO table SET str='$str'";
So I have been developing a little system in which, at a point, the user can type in some HTML into ckeditor, that HTML is then stored in a database (it's kind of a microCMS).
The problem is When using Mysqli, It inserts escape characters before and after " and ' in order to stop injection, logically, which breaks loads of HTML code.
for example
becomes
or somthing close to that, which breaks the code
Is there a way i can disable the injection prevention, or input it into the database another way ? Or mabi replace the /" when it is being taken from the database ?
Thanks
-jman6495
EDIT :
I have resolved the problem
I replaced the /" by " using the php str_replace function.
here's the code :
$pagecontent = str_replace('\"','"',$pagecontent);
echo $pagecontent;
thanks anyway
-jman6495
If you're seeing these characters when you fetch data back out you're somehow double-escaping the content. Check that you're only escaping it once, and doing it with the placeholder and not mysql_real_escape_string. You haven't fixed the problem. You've un-done the damage of a serious bug.
The purpose of SQL escaping is to insert the data correctly and reliably. For instance, O'Reilly should be O''Reilly for MySQL. The actual content in the database should be O'Reilly regardless of quoting.
Short version:
I need mysql code that will change
[href="http://a-random-domain.com"]hyperlink[/href]
into
hyperlink
without messing up the domain part, and
without accidentally converting any unrelated instances of "] that might occur in the text of a field.
Domain will be unique/different every time it is
encountered.
Long version:
I am migrating an old database for use with a new application. The old database has a text field that includes content such as:
This is a data field with a [href="http://somedomain.com"]hyperlink[/href] and more data and possibly other hyperlinks.
I need to update it to standard html, e.g.
This is a data field with a hyperlink and more data and possibly other hyperlinks.
Fixing the [href= and [/href] is simple enough using REPLACE
update table set field = replace(field, '[href=', '<a href=');
but I get tripped up on the "] closing bracket of the a href tag. And in the database there are other instances of "] that shouldn't be modified, so I can't just replace on "]
Does mysql have some sort of regex "lookahead" or other way to accomplish this?
Thanks much!
http://dev.mysql.com/doc/refman/5.1/en/regexp.html
MySQL supports regex-functions for 'evaluating' purpose only.
So, you can't use it on replacing or manipulating data. It'll be better using high level script language for it.
I am working on some code that dumps data into a table.
Some of the data includes carriage returns.
Eventually, the data will be exported as an HTML-formatted email or in a text file (CSV), or both. I don't know in advance which export method will be used on this data.
If I write my carriage returns to the database like this:
UPDATE SOME_TABLE
SET TEXT_VALUE = #LineOne + CHAR(13) + CHAR(10) + #LineTwo
WHERE ID = #IDValue
Then it works in the CSV file just fine, but the HTML email gets totally screwed up - it confuses the encoding and displays the email with header and mime information and is totally useless except for debugging.
On the other hand, if I write my carriage returns to the database like this:
UPDATE SOME_TABLE
SET TEXT_VALUE = #LineOne + '<br>' + #LineTwo
WHERE ID = #IDValue
Then it's the other way around - it works in email but the text file outputs with the actual "br" embedded in the text, as in "LineOne< br>LineTwo".
Is there a way to represent a carriage return in a way that will produce the same result in both plain text and in HTML?
All of this is running on SQL Server 2008 from inside a T-SQL stored procedure.
I think the most appropriate way is to store all text "as-is" with CR LF and then make the proper manipulations when you fetch the data from the table, ie. convert newlines to if you are rendering html, etc.
This is one of those times that there is no easy answer to this. HTML and plain text are interpreted very differently, as you are seeing here. A newline is different in both, and not compatibile in the other.
What you need to do is to separate the logic into different stored procedures: one for HTML/email formatting, and one for plain text/csv formatting.
I'm not sure what language you are using to send the email. If it's PHP, you can use your normal text with carriage returns and transform them to html-linebreaks using:
nl2br($text);