Jump to content

Archived

This topic is now archived and is closed to further replies.

RSprinkel

Characters being entered in DB

Recommended Posts

Hi all and new here.

I have a few questions pertaining to PHP as I am a somewhat of a Newb and I am not sure to handle these questions the proper way. However. I will make them seperate posts if thats allowed.

I have a problem. I have an application form on my site, that has to be approved by me via an admin form. When a member uses the characters such as ", -, ', etc and I try to approve the application I get an error basically telling me these aren't allowed to be processed and placed into the proper database. I have to manually go into the temp database and remove these characters before I can process the app.

Any help on this issue is GREATLY Appreciated.


RSprinkel

Sorry I should have put the code that I have:

// Enter info into the Database.
$info2 = htmlspecialchars($info);

Share this post


Link to post
Share on other sites
Well I tried and got the same error. Here is the error received:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Night BR', '17-18', 'no...but can get one', 'DjFan828 and weighfish had just t' at line 2"

Here is the troubled data:

Lowe's Night BR
17-18
no...but can get one


Thanks for your help


Share this post


Link to post
Share on other sites
I think it'd help if you posted your code, or at least the query itself.
Like, instead of querying, just echo it.

Share this post


Link to post
Share on other sites
Not sure what you mean by echo the code

Code/Query is here

// Enter info into complaint.
//$history2 = htmlspecialchars($history); - WAS BEFORE
$info2 = htmlentities($info, ENT_QUOTES);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());

If there is no ' - " symbols it is fine it will go through the process. However if some puts those symbols in it will give me that error.

Share this post


Link to post
Share on other sites
OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.

Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.

You can also use mysql_escape_string()
[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a]

Share this post


Link to post
Share on other sites
[!--quoteo(post=377743:date=May 27 2006, 11:25 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ May 27 2006, 11:25 PM) [snapback]377743[/snapback][/div][div class=\'quotemain\'][!--quotec--]
OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.

Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.

You can also use mysql_escape_string()
[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a]
[/quote]


Ok had wrong script, sorry here is the correct code that I jsut modified: I added a line for each input box that may have these codes entered in.

// Enter info into complaint.
$username2 = htmlentities($username, ENT_QUOTES);
$date2 = htmlentities($date, ENT_QUOTES);
$s_driver2 = htmlentities($s_driver, ENT_QUOTES);
$r_driver2 = htmlentities($r_driver, ENT_QUOTES);
$track2 = htmlentities($track, ENT_QUOTES);
$lap2 = htmlentities($lap, ENT_QUOTES);
$replay2 = htmlentities($replay, ENT_QUOTES);
$comments2 = htmlentities($comments, ENT_QUOTES);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());

Share this post


Link to post
Share on other sites
Instead of using htmlentities(), use the mysql_real_escape_string() function.

[code]<?php
$username = mysql_real_escape_string($username,);
$date = mysql_real_escape_string($date);
$s_driver = mysql_real_escape_string($s_driver);
$r_driver = mysql_real_escape_string($r_driver);
$track = mysql_real_escape_string($track);
$lap = mysql_real_escape_string($lap);
$replay = mysql_real_escape_string($replay);
$comments = mysql_real_escape_string($comments);
$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)
VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());
?>[/code]

Ken

Share this post


Link to post
Share on other sites
Ok I got it to work

I had an additional ?> at the end of the sql insert stuff and then another one at the end of the script.

THANKS ALL For the HELP. VERY MUCH APPRECIATED

I will be back with more questions soon [img src=\"style_emoticons/[#EMO_DIR#]/wink.gif\" style=\"vertical-align:middle\" emoid=\":wink:\" border=\"0\" alt=\"wink.gif\" /]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.