Re: quotes from form input + MySQL insert query
From: Luciano Tolomei (tolomei_at_newmediatrio.it)
Date: 07/27/04
- Next message: Rubem Pechansky: "A native Windows binding for PHP"
- Previous message: Luciano Tolomei: "Re: match an array value with a word"
- In reply to: Jeremy Epstein: "quotes from form input + MySQL insert query"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 27 Jul 2004 23:08:51 +0200
i will not use preg_replace or something like that but i will use:
string mysql_escape_string ( string unescaped_string)
look of it at :
http://it2.php.net/manual/en/function.mysql-escape-string.php
Jeremy Epstein wrote:
> <whinge>Please help! I'm tearing my hair out, trying to get this to work...
> I've tried everything, nothing seems to work, it is extremely
> weird.</whinge>
>
> This is what happens: when the user enters input from a form, that input is
> POSTed to my script page, which then runs an insert query to put it into a
> MySQL table. All the fields are strings. Most of them are inputted through
> HTML text boxes, while one is inputted through an HTML textarea element.
>
> The problem: when there are SINGLE quotes (double quotes work fine) in the
> TEXTBOX fields (textarea fields work fine), the data is only inserted up to
> the first single quote. I'm handling textboxes and textareas in exactly the
> same way, but a textarea string full of single quotes is handled fine, while
> a similar textbox string is not!
>
> I have magic_quotes turned on, and since I do not have access to php.ini on
> my hosted site, I can't turn it off. I've checked the POSTed data by echoing
> all fields, and magic_quotes is handling all fields the same: it puts a
> backslash before every quote in every field. So the problem is not
> magic_quotes, because it's doing its job the same for all data.
>
> I've tried everything: I've tried using urlencode() and urldecode(),
> htmlentities() and htmlspecialchars(). In case magic_quotes was stuffing up
> somehow, I tried using addslashes() and stripslashes(). I even wrote a
> regular expression to replace all single backslashes with double
> backslashes, in case the single ones generated by magic_quotes weren't
> enough for some reason:
>
> preg_replace("/\\\\/","${1}\\\\\\${2}",$_POST['input_field'])
>
> But using that just generated a MySQL syntax error. When I just run the
> script plain, without using any special functions like addslashes() or the
> one above, I don't get any error messages: the text just isn't inserted past
> the first single quote.
>
> Here is some of the code that I'm using. From the form input page:
>
> <form name="adminForm" method="post" action="transact-admin.php">
> <input type="hidden" name="pageelement" value="hotdeals" />
> ...
> <tr>
> ...
> <td class="item_cell">
> <input type="text" name="hotdeal_to_add_section_url" maxlength="100"
> value="" />
> </td>
> <td class="item_cell">
> <input type="text" name="hotdeal_to_add_title" maxlength="100" value="" />
> </td>
> <td class="item_cell">
> <textarea name="hotdeal_to_add_body" rows="8" cols="40"></textarea>
> </td>
> <td class="item_cell">
> <input type="text" name="hotdeal_to_add_image_url" maxlength="100"
> value="" />
> </td>
> <td class="item_cell">
> <input type="text" name="hotdeal_to_add_image_desc" maxlength="100"
> value="" />
> </td>
> ...
> </tr>
>
> And from the processing script (transact-admin.php):
>
> case 'hotdeals':
> .....
> $sql_hotdeal = "INSERT IGNORE INTO ga_hotdeals ".
> "( hotdeal_id, section_url, title, body, ".
> "image_url, image_desc ) ".
> "VALUES ".
> "( '". $_POST['hotdeal_to_add_number']. "', '".
> $_POST['hotdeal_to_add_section_url']. "', '".
> $_POST['hotdeal_to_add_title']. "', '".
> $_POST['hotdeal_to_add_body']. "', '".
> $_POST['hotdeal_to_add_image_url']. "', '".
> $_POST['hotdeal_to_add_image_desc']. "' )";
>
> $insert_hotdeal = mysql_query($sql_hotdeal)
> or die(mysql_error());
>
> The really weird thing, like I said, is that i only have this problem for
> textbox-entered data, and not for textarea-entered data. Because the problem
> only occurs with single quotes, i'm guessing that it has something to do
> with the single quotes in my raw HTML form elements. Or maybe it's because I
> use single quotes in the MySQL query. But none of this should
> matter, because I've seen by echoing the POSTed data that it all gets posted
> exactly the same! All the quotes in all the fields get given backslashes by
> magic_quotes, so they should all be handled the same when they're inserted
> into the MySQL table.
>
> If someone could let me know just what the HELL is going on, i would greatly
> appreciate it. I've been working on this problem for about 3 days now, and I
> will not rest until it's solved.
>
> Jeremy Epstein.
> jepstein@it.uts.edu.au
>
>
>
>
>
>
- Next message: Rubem Pechansky: "A native Windows binding for PHP"
- Previous message: Luciano Tolomei: "Re: match an array value with a word"
- In reply to: Jeremy Epstein: "quotes from form input + MySQL insert query"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
