You shouldn't trust any inputs from users.
This section of PHP manual may be useful.
http://jp.php.net/manual/en/security.php
http://jp.php.net/manual/en/security.variables.php
http://jp.php.net/manual/en/function.addslashes.php
You may need to write your own addslashes and stripslashes depends on your DB.
--
Yasuo Ohgaki
""Matt Braynard"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have created a news script and to my dismay, the script is breaking when
> there is a single quote - ' - in a form that goes to the database. Any
> solutions?
>
> The text of the script is below.
>
> ---
> <title>E3 Confirm News</title>
> <html>
> <font size=+2>E3 Confirm News Page</font><p>
> Make the necessary edits and the story will be considered "live" once you
> check the box and submit. If you want to pull the story, just uncheck the
> box and submit. <p>
> Both Chris and Matt will get an email when a story has been confirmed. <p>
> Also, you can enter fresh stories directly into this page.
>
> <?php
>
> if (($submitcheck) and (($password == "xxxxx") or ($password == "xxxxx")))
> {
> if ($ready=="on")
> {
> $subject = "Confirmed: " . $top;
> $message .= "\n \n Tease: \n";
> $message .= $tease;
> $message .= "\n \n Body: \n";
> $message .= $body;
> $message .= "\n \n Link: ";
> $message .=
> "http://www.well-rounded.com/games/e32k1/confirmnews.php?id=$id";
> mail("[EMAIL PROTECTED]", $subject, $message);
> mail("[EMAIL PROTECTED]", $subject, $message);
> $flag = "1";
> }
>
> require("/home/well-rounded.com/cgi-bin/dbinfo.inc");
> mysql_connect(localhost,$user,$password);
>
> @mysql_select_db($db) or die( "Unable to select database");
>
> $query="select * from e32k1_data where id = '$id'";
> $result=mysql_query($query);
>
> $num=mysql_numrows($result);
>
> if ($num == 0)
> {
> $query="insert into e32k1_data values('$type', '$id', '$filedate', '$top',
> '$tease', '$story', '$flag', '$flag2')";
>
> $result=mysql_query($query);
>
> mysql_close();
>
> } else {
> $query="update e32k1_data set type='n', id='$id', filedate='$filedate',
> top='$top', tease='$tease', body='$body', flag='$flag' where id = '$id'";
>
> $result=mysql_query($query);
>
> mysql_close();
>
> }
> ?>
> <p>
> <hr>
> <i>Mockup</i>
> <?
> Include("/home/well-rounded.com/html/games/e32k1/viewnews.php");
> ?>
> <hr>
> Submitted Data
>
> <form method=post><p>
> Enter the Info:<br>
> Password:
> <input type=text name="password" maxlength=5 length=5><br>
> <input type=hidden name="type" value="n">
> ID:
> <input type=text name="id" maxlength=15 value="<?
> echo $id;
> ?>">
> <br>
> FileDate:
> <input type=text name="filedate" maxlength=15 value="<?
> echo $filedate;
> ?>"><br>
> Top:
> <input type=text name="top" maxlength=200 value="<?
> echo $top;
> ?>"><br>
> Tease:
> <input type=text name="tease" maxlength=200 value="<?
> echo $tease;
> ?>"><br>
> Body:
> <TEXTAREA name="body" rows=10 cols=45 wrap=virtual>
> <?
> echo $body;
> ?></TextArea><br>
> <input type=hidden name="submitcheck" value="1">
> <input type=checkbox name="ready">Ready for Prime Time?<br>
> <INPUT name="submit" type="submit" value="Post Your Story">
> <?
>
> } else {
>
> if ($id)
> {
> require("/home/well-rounded.com/cgi-bin/dbinfo.inc");
> mysql_connect(localhost,$user,$password);
>
> @mysql_select_db($db) or die( "Unable to select database");
>
> $query="select * from e32k1_data where id = '$id'";
>
> $result=mysql_query($query) or die( "Unable to get the damn table");
>
> mysql_close();
>
> $type=mysql_result($result,0,"type");
> $id=mysql_result($result,0,"id");
> $filedate=mysql_result($result,0,"filedate");
> $top=mysql_result($result,0,"top");
> $tease=mysql_result($result,0,"tease");
> $body=mysql_result($result,0,"body");
> $flag=mysql_result($result,0,"flag");
> $flag2=mysql_result($result,0,"flag2");
>
> ?>
> <p>
> <hr>
> <i>Mockup</i>
> <?
> Include("/home/well-rounded.com/html/games/e32k1/viewnews.php");
> ?>
> <hr>
>
> No submit, but an ID
> <form method=post><p>
> Enter the Info:<br>
> Password:
> <input type=text name="password" maxlength=5 length=5><br>
> <input type=hidden name="type" value="n">
> ID:
> <input type=text name="id" maxlength=15 value="<?
> echo $id;
> ?>">
> <br>
> FileDate:
> <input type=text name="filedate" maxlength=15 value="<?
> echo $filedate;
> ?>"><br>
> Top:
> <input type=text name="top" maxlength=200 value="<?
> echo $top;
> ?>"><br>
> Tease:
> <input type=text name="tease" maxlength=200 value="<?
> echo $tease;
> ?>"><br>
> Body:
> <TEXTAREA name="body" rows=10 cols=45 wrap=virtual><?
> echo $body;
> ?></TextArea><br>
> <input type=hidden name="submitcheck" value="1">
> <input type=checkbox name="ready">Ready for Prime Time?<br>
> <INPUT name="submit" type="submit" value="Post Your Story">
>
> <?
> } else {
> ?>
>
> No Nothing
> <form method=post><p>
> Enter the Info:<br>
> Password:
> <input type=text name="password" maxlength=5 length=5><br>
> <input type=hidden name="type" value="n">
> ID:
> <input type=text name="id" maxlength=15><br>
> FileDate:
> <input type=text name="filedate" maxlength=15 value=<?
> $today = getdate();
> $month = $today[month];
> $mday = $today[mday];
> $year = $today[year];
> echo "$month$mday$year";
> ?>><br>
> Top:
> <input type=text name="top" maxlength=200><br>
> Tease:
> <input type=text name="tease" maxlength=200><br>
> <input type=hidden name="submitcheck" value="1">
> Body:
> <TEXTAREA name="body" rows=10 cols=45 wrap=virtual></TextArea><br>
> <input type=checkbox name="ready">Ready for Prime Time?<br>
> <INPUT name="submit" type="submit" value="Post Your Story">
>
> <?
> }
> }
> ?>
>
>
>
--------------------------------------------------------------------------------
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
