Characters being entered in DB

[RSprinkel]

Hi all and new here.

I have a few questions pertaining to PHP as I am a somewhat of a Newb and I am not sure to handle these questions the proper way. However. I will make them seperate posts if thats allowed.

I have a problem. I have an application form on my site, that has to be approved by me via an admin form. When a member uses the characters such as ", -, ', etc and I try to approve the application I get an error basically telling me these aren't allowed to be processed and placed into the proper database. I have to manually go into the temp database and remove these characters before I can process the app.

Any help on this issue is GREATLY Appreciated.


RSprinkel

Sorry I should have put the code that I have:

// Enter info into the Database.
$info2 = htmlspecialchars($info);

[Ferenc]

Try:
$info2 = htmlentities($info, ENT_QUOTES);

[RSprinkel]

Well I tried and got the same error. Here is the error received:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Night BR', '17-18', 'no...but can get one', 'DjFan828 and weighfish had just t' at line 2"

Here is the troubled data:

Lowe's Night BR
17-18
no...but can get one


Thanks for your help

[poirot]

I think it'd help if you posted your code, or at least the query itself.
Like, instead of querying, just echo it.

[RSprinkel]

Not sure what you mean by echo the code

Code/Query is here

// Enter info into complaint.
//$history2 = htmlspecialchars($history); - WAS BEFORE
$info2 = htmlentities($info, ENT_QUOTES);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());

If there is no ' - " symbols it is fine it will go through the process. However if some puts those symbols in it will give me that error.

[poirot]

OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.

Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.

You can also use mysql_escape_string()
[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a]

[RSprinkel]

[!--quoteo(post=377743:date=May 27 2006, 11:25 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ May 27 2006, 11:25 PM) [snapback]377743[/snapback][/div][div class=\'quotemain\'][!--quotec--]
OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.

Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.

You can also use mysql_escape_string()
[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a]
[/quote]


Ok had wrong script, sorry here is the correct code that I jsut modified: I added a line for each input box that may have these codes entered in.

// Enter info into complaint.
$username2 = htmlentities($username, ENT_QUOTES);
$date2 = htmlentities($date, ENT_QUOTES);
$s_driver2 = htmlentities($s_driver, ENT_QUOTES);
$r_driver2 = htmlentities($r_driver, ENT_QUOTES);
$track2 = htmlentities($track, ENT_QUOTES);
$lap2 = htmlentities($lap, ENT_QUOTES);
$replay2 = htmlentities($replay, ENT_QUOTES);
$comments2 = htmlentities($comments, ENT_QUOTES);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());

[kenrbnsn]

Instead of using htmlentities(), use the mysql_real_escape_string() function.

[code]<?php
$username = mysql_real_escape_string($username,);
$date = mysql_real_escape_string($date);
$s_driver = mysql_real_escape_string($s_driver);
$r_driver = mysql_real_escape_string($r_driver);
$track = mysql_real_escape_string($track);
$lap = mysql_real_escape_string($lap);
$replay = mysql_real_escape_string($replay);
$comments = mysql_real_escape_string($comments);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());
?>[/code]

Ken

[RSprinkel]

Ok I got it to work

I had an additional ?> at the end of the sql insert stuff and then another one at the end of the script.

THANKS ALL For the HELP. VERY MUCH APPRECIATED

I will be back with more questions soon [img src=\"style_emoticons/[#EMO_DIR#]/wink.gif\" style=\"vertical-align:middle\" emoid=\":wink:\" border=\"0\" alt=\"wink.gif\" /]