[SOLVED] Inserting into database

[garry]

So I'm having some trouble getting everything to insert into the database. I have a form which is supposed to add an artist into the database. I'm just echoing the information at the moment before I figure out how to put it into the database properly and safely. Here's what I'm using:

 

<?php

session_start();

require_once ("../config.php");
require_once ("../includes/includes.php");

?>


<div class="main">

<?php

db_connect();

add_header();

?>
<?php
if (isset($_POST['submitted'])) { // Check to see if the form has already been submitted

$artist = mysql_real_escape_string($_POST['artist']);
$description = $_POST['description'];
$genre = $_POST['genre'];
$user_id = $_SESSION['user_id'];

$query = "INSERT
		  INTO artists
		  SET
		  	id = '',
			genre_id = '',
			artist = '',
			description = '',
			created_at = NOW()
		 ";

echo $artist . "<br />" . $description . "<br />" . $genre . "<br />" . $user_id;

unset($_POST);

}



else {
    
?>
<heading>Add Artist</heading>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
    <table width="615" border="0">
      <tr>
        <td width="144" height="32"><div align="right">Artist Name:</div></td>
        <td width="461"><input type="text" name="artist" value="" size="37" maxlength="37"/></td>
      </tr>
      <tr>
        <td><div align="right">Artist Description: </div></td>
        <td><textarea name="description" rows="10" cols="32" ></textarea> </td>
      </tr>
       <tr>
        <td><div align="right">Genre: </div></td>
        <td><select name="genre">
        <?
	$query = "SELECT *
			  FROM genres
		 ";

	$result = mysql_query($query);

	while ($row = mysql_fetch_assoc($result)) {
	echo "<option>". $row['genre'] . "</option><br />";
	}
	?>
        </select> </td>
      </tr>
      <tr>
        <td height="33"><input name="submitted" type="hidden" value="1"></td>
        <td><input name="submit" type="submit" value="Submit" /></td>
      </tr>
    </table>
  </form>

<? 	

}



  ?>


<?php
add_footer(); ?>
</div>

 

I'm not sure which functions i'm supposed to use when putting information into and extracting information from the database.

 

For example, do I only need mysql_real_escape_string when inserting into the database or others too?

 

And also, do I need to filter the information I'm getting out of the database when I'm doing this to remove the "\" characters?

 

Any help is much appreciated.

[Barand]

If you do it correctly the "\" characters are not written to the database so no need to filter them out when retrieving data.

 

Any item that comes from the user (POST, GET, COOKIE) should be subjected to sanitising before putting it in a query.

[garry]

Thanks for your help.

 

What steps should I take to sanitize the user input? As in, which functions should be used?

 

And I thought that some things had to be converted into database friendly characters? for example, the © characters and such?

[947740]

A few:

$string = striptags($otherstring);

$string = mysql_real_escape_string($otherstring);

$string = htmlentities($otherstring);

[garry]

I tried the mysql real escape one and it comes out sort of weird.. :/

 

If I input this(with the quotation marks): "it's that's"

 

I get returned this after mysql real escape: \\\"it\\\'s that\\\'s\\\"

 

I think it might have something to do with magic_quotes being on. What should I do in this case? I'm almost certain that the actual server I'm putting this on later has magic_quotes to off so how can I accomodate for both? Thanks

[947740]

You have to check whether or not magic_quotes is turned on on the server you are working on.  That way, your script will work no matter what.

[garry]

But if the server I'm on now has magic_quotes on and then I move to one with it off, then problems are caused, am I right?

 

So how can i remedy this?

[Barand]

 

If you have "magic_quotes" ON the slashes are added for you.

 

So your post data already contains something like "O\'Reilly". (This would be stored correctly as "O'Reilly")

 

If you now addslashes, you now have "O\\\'Reilly" which gets written to the db as "O\'Reilly".

 

 

So, before adding slashes with either addslashes or mysql_real_escape_string, check they haven't been added already by magic quotes.

 

<?php
function clean($var)
{
$var = get_magic_quotes_gpc() ? stripslashes($var) : $var;
$var = mysql_real_escape_string($var);
return $var;
}

$var_name =  clean($var_name);

[garry]

Thanks Barand! That seems to work pretty well.

 

I was just wondering if you could explain to me exactly how you did that so I know for the future. I don't really understand the "$var = get_magic_quotes_gpc() ? stripslashes($var) : $var;" bit of it.

 

And also, how which other functions do you suggest I apply to the user input to clean it and would I just put it in the same $var= format underneath the others?

 

thanks again.

[Barand]

$var = get_magic_quotes_gpc() ? stripslashes($var) : $var;

 

is equivalent to

 

<?php 
if (get_magic_quotes_gpc())                                // if magic quotes is ON
$var = stripslashes($var);                             // remove slashes already added so we don't double them later
else
$var = $var;                                           // otherwise  use $var as it is

[garry]

Okay, thanks for your help! I'm glad I have people here to help me on my way to learning PHP