[PHP-DB] Re: addslashes replacement?
Take a look at the php website on the function addslashes. You will find an example with the functions reslash and reslash. You might have some problems regarding magic_quotes. Ive been using the reslash and deslash for some time now without any problems. It might solve your problems. -- Kim Steinhaug - There are 10 types of people when it comes to binary numbers: those who understand them, and those who don't. - www.steinhaug.com - www.easywebshop.no - www.easycms.no www.webkitpro.com - Ed Lazor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm using php addslashes to store data into MySQL and php stripslashes when pulling it back out, but I'm running into trouble when people enter HTML code. Do you have any recommendations? Here's an example of what I'm talking about: input name=Title value=?php echo stripslashes($Entry[Title]);? An error occurs if the entry has a value of: this is a font color=redbtest/b/font. Are we having FUN yet? Any ideas or recommendations? Thanks, -Ed -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: addslashes replacement?
Thanks everyone. I ended up using a combination of the htmlspecialchars and the stripslashes commands. The htmlspecialchars function has an example about halfway down that I ended up using. Thanks =) -Original Message- Take a look at the php website on the function addslashes. You will find an example with the functions reslash and reslash. You might have some problems regarding magic_quotes. Ive been using the reslash and deslash for some time now without any problems. It might solve your problems. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Addslashes
hi, thanx! my magic_quotes_runtime is set to off. actually, i managed to do a double stripslashes to my form fields eg. stripslashes(stripslashes($field1)).. this worked well but still if the input box is a textbox and i have a value that has a double quote ( ) as part of it, anything after the double quote gets cut off.. i looked at the php.net site and tried things like htmlspecialchars and urlendecode but all to no avail. will appreciate advice! thanx thanx.. hwee - Original Message - From: Justin Patrin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 2:26 PM Subject: [PHP-DB] Re: Addslashes It's the magic quotes setting. Try setting magic_quote_gpc to off. Also, try turning magic_quotes_runtime off. Ng Hwee Hwee wrote: hi all, i'm really buffled by what i got and would appreciate any help possible! although i addslashes and stripslashes, i still get a backslash ( \ ) character infront of a single inverted comma ( ' ) and also whenever an amberscend ( ) appears... please help! thanx thanx.. for example: in my form (form.php), i have something like that: input type=text name=field1 value=? if ($form[field1]) echo stripslashes($form[field1]); ? upon submitting the form, the verification file (verify.php) will be executed, and it has lines like that: ? session_register(form); foreach($_POST as $varname = $value) $form[$varname] = addslashes(trim(EscapeShellCmd($value))); ? ... and then i'll check for the validity of field1. if there is an error, the user will be redirected back to form.php with the value that the user entered echoed with a stripslash. if there is no error, the whole script runs well, but if the user has to be brought back to form.php, it'll print backslashes infront of characters like ( ) ' etc.. also, instead of having a blank text field, i have a text field with contents retrieved from the database.. the database data does not have the slashes and when the first time they appear on the screen, there is no slashes attached too.. the problem is always when the user has an error and needs to be brought back to form.php that the slashes appear and the number of slashes doubles everytime the user has to be brought back to form.php. i have my magic_quotes_gpc set to ON in my phpinfo() and my version of php is 4.1.2. thank you soo soo much!! look forward to your replies. hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Addslashes
It's the magic quotes setting. Try setting magic_quote_gpc to off. Also, try turning magic_quotes_runtime off. Ng Hwee Hwee wrote: hi all, i'm really buffled by what i got and would appreciate any help possible! although i addslashes and stripslashes, i still get a backslash ( \ ) character infront of a single inverted comma ( ' ) and also whenever an amberscend ( ) appears... please help! thanx thanx.. for example: in my form (form.php), i have something like that: input type=text name=field1 value=? if ($form[field1]) echo stripslashes($form[field1]); ? upon submitting the form, the verification file (verify.php) will be executed, and it has lines like that: ? session_register(form); foreach($_POST as $varname = $value) $form[$varname] = addslashes(trim(EscapeShellCmd($value))); ? ... and then i'll check for the validity of field1. if there is an error, the user will be redirected back to form.php with the value that the user entered echoed with a stripslash. if there is no error, the whole script runs well, but if the user has to be brought back to form.php, it'll print backslashes infront of characters like ( ) ' etc.. also, instead of having a blank text field, i have a text field with contents retrieved from the database.. the database data does not have the slashes and when the first time they appear on the screen, there is no slashes attached too.. the problem is always when the user has an error and needs to be brought back to form.php that the slashes appear and the number of slashes doubles everytime the user has to be brought back to form.php. i have my magic_quotes_gpc set to ON in my phpinfo() and my version of php is 4.1.2. thank you soo soo much!! look forward to your replies. hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: Addslashes in SQL Statement - SOLVED
Just a quick post to say that I resolved this issue. Thanks, JJ, for taking the time to reply. Turns out it WAS just something stupid like I thought. A bad HREF pointing to an old version of the page without the addslashes() stuff implemented. Rich -Original Message- From: JJ Harrison [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 8:01 PM To: [EMAIL PROTECTED] Subject: [PHP-DB] Re: Addslashes in SQL Statement I may be wrong about the addslashes thing. Just trying to help :) I would echo all of the post data. It appears as if very little was sent. Check your form field names etc... -- JJ Harrison [EMAIL PROTECTED] www.tececo.com Jj Harrison [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I would say that having to slashes causes the first slash to be ignored. try only doing addslashes() once. also make a variable for your query then use something like this to do it: $result = mysql_query($query) or die(Query failed: $querybr . mysql_error()); If the query fails mySQL will tell you where your error is. -- JJ Harrison [EMAIL PROTECTED] www.tececo.com Rich Hutchins [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have been wrestling with this off and on for the past couple days and would really appreciate some help. I have a Guest Book page that collects name, address, e-mail, etc. in a form. I won't post the form code because it's just HTML and it works fine. Besically, the page does one of two things: 1) Adds a new guest to the db. OR 2) Updates the information for a guest record (passed in from another page). I ran into problems with entering apostrophes for names like O'Reilly. Naturally, I used addslashes(). However, adding addslashes() to the UPDATE SQL statement that gets executed in condition 2 above works flawlessly both to and from the db while addslashes() in the INSERT SQL statement that gets executed in condition 2 above continues to bomb out. Incidentally, if I attempt to add a new guest to the db without any special characters, the process works just fine. So I know the error is related to those special characters. Here is the relevant SQL code: This statement works flawlessly. $sql = UPDATE contactInfo SET firstnames='.addslashes($_POST[firstnames]).', lastname='.addslashes($_POST[lastname]).', street1='.addslashes($_POST[street1]).', street2='.addslashes($_POST[street2]).', city='.addslashes($_POST[city]).', state='.addslashes($_POST[state]).', zip='.addslashes($_POST[zip]).', emailaddress='.addslashes($_POST[eMailAddress]).', screenname='.addslashes($_POST[screenName]).' WHERE personID='.$_POST[thisPersonID].'; This statement bombs. $sql = INSERT INTO contactinfo (personID, firstnames, lastname, street1, street2, city, state, zip, emailaddress, screenname) VALUES (NULL, '.addslashes($_POST[firstnames]).', '.addslashes($_POST[lastname]).', '.addslashes($_POST[street1]).', '.addslashes($_POST[street2]).', '.addslashes($_POST[city]).', '.addslashes($_POST[state]).', '.addslashes($_POST[zip]).', '.addslashes($_POST[eMailAddress]).', '.addslashes($_POST[screenName]).'); If I type in the last name O'Grady and the first name Gail, the error I receive when the statement bombs is fairly standard and reads: You have an error in your SQL syntax near 'Grady', '', '', '', '', '', '', '')' at line 1. And, finally, here's how I'm posting the form data: form name=eMailEdit method=post action=?=$PHP_SELF? Anybody have any ideas? Thanks, Rich -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Addslashes in SQL Statement
I would say that having to slashes causes the first slash to be ignored. try only doing addslashes() once. also make a variable for your query then use something like this to do it: $result = mysql_query($query) or die(Query failed: $querybr . mysql_error()); If the query fails mySQL will tell you where your error is. -- JJ Harrison [EMAIL PROTECTED] www.tececo.com Rich Hutchins [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have been wrestling with this off and on for the past couple days and would really appreciate some help. I have a Guest Book page that collects name, address, e-mail, etc. in a form. I won't post the form code because it's just HTML and it works fine. Besically, the page does one of two things: 1) Adds a new guest to the db. OR 2) Updates the information for a guest record (passed in from another page). I ran into problems with entering apostrophes for names like O'Reilly. Naturally, I used addslashes(). However, adding addslashes() to the UPDATE SQL statement that gets executed in condition 2 above works flawlessly both to and from the db while addslashes() in the INSERT SQL statement that gets executed in condition 2 above continues to bomb out. Incidentally, if I attempt to add a new guest to the db without any special characters, the process works just fine. So I know the error is related to those special characters. Here is the relevant SQL code: This statement works flawlessly. $sql = UPDATE contactInfo SET firstnames='.addslashes($_POST[firstnames]).', lastname='.addslashes($_POST[lastname]).', street1='.addslashes($_POST[street1]).', street2='.addslashes($_POST[street2]).', city='.addslashes($_POST[city]).', state='.addslashes($_POST[state]).', zip='.addslashes($_POST[zip]).', emailaddress='.addslashes($_POST[eMailAddress]).', screenname='.addslashes($_POST[screenName]).' WHERE personID='.$_POST[thisPersonID].'; This statement bombs. $sql = INSERT INTO contactinfo (personID, firstnames, lastname, street1, street2, city, state, zip, emailaddress, screenname) VALUES (NULL, '.addslashes($_POST[firstnames]).', '.addslashes($_POST[lastname]).', '.addslashes($_POST[street1]).', '.addslashes($_POST[street2]).', '.addslashes($_POST[city]).', '.addslashes($_POST[state]).', '.addslashes($_POST[zip]).', '.addslashes($_POST[eMailAddress]).', '.addslashes($_POST[screenName]).'); If I type in the last name O'Grady and the first name Gail, the error I receive when the statement bombs is fairly standard and reads: You have an error in your SQL syntax near 'Grady', '', '', '', '', '', '', '')' at line 1. And, finally, here's how I'm posting the form data: form name=eMailEdit method=post action=?=$PHP_SELF? Anybody have any ideas? Thanks, Rich -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Addslashes in SQL Statement
I may be wrong about the addslashes thing. Just trying to help :) I would echo all of the post data. It appears as if very little was sent. Check your form field names etc... -- JJ Harrison [EMAIL PROTECTED] www.tececo.com Jj Harrison [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I would say that having to slashes causes the first slash to be ignored. try only doing addslashes() once. also make a variable for your query then use something like this to do it: $result = mysql_query($query) or die(Query failed: $querybr . mysql_error()); If the query fails mySQL will tell you where your error is. -- JJ Harrison [EMAIL PROTECTED] www.tececo.com Rich Hutchins [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have been wrestling with this off and on for the past couple days and would really appreciate some help. I have a Guest Book page that collects name, address, e-mail, etc. in a form. I won't post the form code because it's just HTML and it works fine. Besically, the page does one of two things: 1) Adds a new guest to the db. OR 2) Updates the information for a guest record (passed in from another page). I ran into problems with entering apostrophes for names like O'Reilly. Naturally, I used addslashes(). However, adding addslashes() to the UPDATE SQL statement that gets executed in condition 2 above works flawlessly both to and from the db while addslashes() in the INSERT SQL statement that gets executed in condition 2 above continues to bomb out. Incidentally, if I attempt to add a new guest to the db without any special characters, the process works just fine. So I know the error is related to those special characters. Here is the relevant SQL code: This statement works flawlessly. $sql = UPDATE contactInfo SET firstnames='.addslashes($_POST[firstnames]).', lastname='.addslashes($_POST[lastname]).', street1='.addslashes($_POST[street1]).', street2='.addslashes($_POST[street2]).', city='.addslashes($_POST[city]).', state='.addslashes($_POST[state]).', zip='.addslashes($_POST[zip]).', emailaddress='.addslashes($_POST[eMailAddress]).', screenname='.addslashes($_POST[screenName]).' WHERE personID='.$_POST[thisPersonID].'; This statement bombs. $sql = INSERT INTO contactinfo (personID, firstnames, lastname, street1, street2, city, state, zip, emailaddress, screenname) VALUES (NULL, '.addslashes($_POST[firstnames]).', '.addslashes($_POST[lastname]).', '.addslashes($_POST[street1]).', '.addslashes($_POST[street2]).', '.addslashes($_POST[city]).', '.addslashes($_POST[state]).', '.addslashes($_POST[zip]).', '.addslashes($_POST[eMailAddress]).', '.addslashes($_POST[screenName]).'); If I type in the last name O'Grady and the first name Gail, the error I receive when the statement bombs is fairly standard and reads: You have an error in your SQL syntax near 'Grady', '', '', '', '', '', '', '')' at line 1. And, finally, here's how I'm posting the form data: form name=eMailEdit method=post action=?=$PHP_SELF? Anybody have any ideas? Thanks, Rich -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
