Backslash quotes issue

bdwderm wrote on Thursday, May 01, 2008:

has this been resolved?

cfapress wrote on Thursday, May 01, 2008:

Could you elaborate on what the issue would be?

During my development in OpenEMR I haven’t run into much trouble with backslashing any quotes.

Jason

bdwderm wrote on Thursday, May 01, 2008:

When I’m typing a encounter note and use " or ’ this is what is appears in the encounter note and/or report:

patient’s

"high-powered"

Any thoughts?

Brent

drbowen wrote on Thursday, May 01, 2008:

You need to turn off "Magic Quotes" in php.ini.

Sam Bowen, MD

cfapress wrote on Monday, May 05, 2008:

Here’s the official “magic quotes” info from php.net

http://us.php.net/magic_quotes/

Specifically:
http://us.php.net/manual/en/security.magicquotes.disabling.php

Jason

drbowen wrote on Monday, May 05, 2008:

As discussed under this thread prevention of SQL injection requires escaping some characters such as ’  and " at:

http://sourceforge.net/forum/forum.php?thread_id=2025573&forum_id=202506

PHP has a built in "magic quotes" function that does this at a system level.  Unfortunately, it has the effect of adding one too many slashes, if the the coder has already added slashes.  This shows up and looks funny as in your example above.

The best practice is to use

mysql_real_escape_string( recommended );

along with checking for valid data, checking for initinally huge payloads, etc. but this ends up causing too many quotes in the output.

Sam Bowen, MD

sunsetsystems wrote on Monday, May 05, 2008:

I would consider it a bug where the code does not behave properly with magic quotes either on or off.  And I expect we have a few bugs like that.

Rod
www.sunsetsystems.com

jeff_ross wrote on Tuesday, May 06, 2008:

The adodb database abstraction layer has a qstr function that will work with any of the databases.

The library/log.inc has a good example in the function newEvent code:

function newEvent($event,$user, $groupname, $comments="")
  {
    $adodb = $GLOBALS[‘adodb’][‘db’];
    if($event == (“login” || “logout” || “backup” || “view” || “auth” || “upload”))
    {
      $sql = "insert into log (date, event, user, groupname, comments) values
(NOW(), " . $adodb->qstr($event) . “,” . $adodb->qstr($user) . “,” . $adodb->qstr($groupname) . “,” .$adodb->qstr($comments) . “)”;
      return sqlInsertClean($sql);
    }

    else
    {
      return false;
    }
  }

Documentation is also here:

http://phplens.com/adodb/tutorial.inserting.html

Jeff