Search the Community

Good morning, I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator. // insert into database $servername = "localhost"; $username = "psychtoo_richart"; $password = "mypassword"; $dbname = "mydatabase"; $fname = mysql_real_escape_string($easyForm->field['fname']['value']); $lname = $easyForm->field['lname']['value']; $title = $easyForm->field['title']['value']; $agency = $easyForm->field['agency']['value']; $telephone = $easyForm->field['telephone']['value']; $interest = $easyForm->field['interest']['value']; $email = $easyForm->field['email']['value']; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } // sql statement $sql= "INSERT INTO registration (registration_date, fname, lname, title, agency, phone, interest, email) VALUES (NOW(), '$fname', '$lname', '$title', '$agency', '$telephone', '$interest2', '$email' )"; $conn->query($sql); $conn->close();

I'm trying to pass a NULL to a stored procedure in a PHP script to MySQL, and I am scrubbing the variables using mysql_real_escape_string, but the NULLs that are passed are giving me problems. My script should look like this: call spMyStoredProc(1,2,NULL,'username'); but unfortunately I get: call spMyStoredProc(1,2,,'username'); I am wondering if I want to move away from using mysql_real_escape_string, and possibly write my own function? Anybody have any ideas? thanks, Frank C

"What's new to the site?" shows up as "What\'s new to the site?". Why is this? How can I prevent this? How it is ran through the site: $pagetitle = mysqli_real_escape_string ($mysqli, $pagetitle); $pagetitle = cleansafelynow($pagetitle); I did google this problem and nothing seemed to help me. It shows up fine when not going through mysqli_real_escape_string. The function used: function cleansafelynow($var) { if (@get_magic_quotes_gpc()) {stripslashes($var);} strip_tags($var); htmlspecialchars($var, ENT_QUOTES); return $var; } I also tried stripshlashes() alone and not going through the if statement and it remains the same. Is there something I can do to remove all backslashes possibly? Or maybe a different way to accomplish this? magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase are all off.

Hi, I am trying to insert data into MySQL. Input data is sometimes not very neat. For example "com – What". When I added addslashes, mysql_real_escape_string, I expected that these non standards characters be inserted as-is or with escape sequences. When I perform inserts, data in MySQL DB looks strange. For example, above example (com – What) transformed into "com – What". "didn’t stop" is not being escaped as "didn\nt stop". How do I make sure that data in MySQL database is proper and as expected?