Hi!

I am going nuts! I hate the god damn special character crap! It is 2006, this should not be a problem!!!

Well, I am developing a flash app that will be used on PDA:s. I have a functional version that's using xmlSockets. The problem is that it won't work on the PDA:s... So now I am converting the app to use LoadVars And php instead. I first tried to use the xml.sendAndLoad but then I realized that the flash xml parser converts " to " and that php do not understand this and convert it back. So then I tried to use loadVars, and I be damned! This crap converts the " to \" instead! Why!? This is so strange, it has ruined my day and I have lost all the hope for humanity (almost).

What I am trying to do is to send a string from flash that will contain a sql query, like: SELECT * FROM itool_user WHERE USERNAME="Bill"

In flash it is a simple loadVars thingy:



function SendCommand(Command:String, mcCalledBy:MovieClip):Void {

var lvReply:LoadVars = new LoadVars();

lvReply.onLoad = function() {
trace(lvReply.reply);
}

var lvCommand:LoadVars = new LoadVars();
lvCommand.com = Command;
lvCommand.sendAndLoad(sServer, lvReply, "POST");

}


An in php, this:


<?
$command = $_POST["com"];
echo("&reply=".$command);
?>


Ok, so the lvReply.reply traces SELECT * FROM itool_user WHERE USERNAME=\"Bill\" and if I try to query that to the DB it returns an error (of course). Why is php adding the \ to the " ???

I thought that my idea to send the complete query string was good since I will have most of the work done in flash, but it seems impossible to do! Why can't I send a simple simple simple string to php?

Some progress... By using the escape() function in flash, it seems to send the correct string. BUT, it's something worng with the query though. This is the reply from the php:


SELECT * FROM itool_user WHERE USERNAME="asd"<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/path/dbFunctions.php</b> on line <b>8</b><br />


And here is the php code that I am using:


<?
$command = $_POST["com"];
echo("&reply=".$command);
$mysql = mysql_connect("myserver.com", "myUsename", "SecretPassword");
mysql_select_db("itool", $mysql);
$result = mysql_query($command);

while($row = mysql_fetch_array($result))
{
$xml = $row["PASS"];
echo ($xml);
}


But if I take the query that is returned to flash: SELECT * FROM itool_user WHERE USERNAME="asd" there is no problem, so it must be something in php that's not ok. But I can't figure out what..

The magic_quotes_gpc php.ini setting is probably set to automatically escape quotes in POST arguments. There is a reason for this. The way you've set up that script someone could very easily send it a query to drop all your tables from the database. This feature is there to protect you from having these kinds of severe security problems.

If you still want to do this, you'll need to either change your php.ini settings, or remove the slashes yourself.

Don't have to do anything at Flash end, not even "escape". You can simply alter your php script to use "stripslashes" to get rid of the extra "\" for special characters received in php script.

$command = stripslashes($_POST["com"]);


I've written a flash query browser/maintenance/entry program that accept any valid MYSQL SQL commands and pass them to PHP with returning result. But I must highlight to you that it's highly risky to upload such a powerful flash program in your website. I always make sure certain restricted commands are blocked at PHP script as well as Flash actionscript and impose strict security checkings.