RSprinkel Posted May 28, 2006 Share Posted May 28, 2006 Hi all and new here.I have a few questions pertaining to PHP as I am a somewhat of a Newb and I am not sure to handle these questions the proper way. However. I will make them seperate posts if thats allowed.I have a problem. I have an application form on my site, that has to be approved by me via an admin form. When a member uses the characters such as ", -, ', etc and I try to approve the application I get an error basically telling me these aren't allowed to be processed and placed into the proper database. I have to manually go into the temp database and remove these characters before I can process the app.Any help on this issue is GREATLY Appreciated.RSprinkelSorry I should have put the code that I have:// Enter info into the Database.$info2 = htmlspecialchars($info); Quote Link to comment Share on other sites More sharing options...
Ferenc Posted May 28, 2006 Share Posted May 28, 2006 Try:$info2 = htmlentities($info, ENT_QUOTES); Quote Link to comment Share on other sites More sharing options...
RSprinkel Posted May 28, 2006 Author Share Posted May 28, 2006 Well I tried and got the same error. Here is the error received:"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Night BR', '17-18', 'no...but can get one', 'DjFan828 and weighfish had just t' at line 2"Here is the troubled data:Lowe's Night BR17-18no...but can get oneThanks for your help Quote Link to comment Share on other sites More sharing options...
poirot Posted May 28, 2006 Share Posted May 28, 2006 I think it'd help if you posted your code, or at least the query itself.Like, instead of querying, just echo it. Quote Link to comment Share on other sites More sharing options...
RSprinkel Posted May 28, 2006 Author Share Posted May 28, 2006 Not sure what you mean by echo the codeCode/Query is here// Enter info into complaint.//$history2 = htmlspecialchars($history); - WAS BEFORE$info2 = htmlentities($info, ENT_QUOTES);$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments) VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());If there is no ' - " symbols it is fine it will go through the process. However if some puts those symbols in it will give me that error. Quote Link to comment Share on other sites More sharing options...
poirot Posted May 28, 2006 Share Posted May 28, 2006 OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.You can also use mysql_escape_string()[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a] Quote Link to comment Share on other sites More sharing options...
RSprinkel Posted May 28, 2006 Author Share Posted May 28, 2006 [!--quoteo(post=377743:date=May 27 2006, 11:25 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ May 27 2006, 11:25 PM) [snapback]377743[/snapback][/div][div class=\'quotemain\'][!--quotec--]OK, the error is caused by the single quote. htmlentities with ENT_QUOTES on should handle that, but you aren't actually applying the function to the variables.Like: $info2 = htmlentities($info, ENT_QUOTES). What is this for? I can't see where you are using $info2.You can also use mysql_escape_string()[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a][/quote]Ok had wrong script, sorry here is the correct code that I jsut modified: I added a line for each input box that may have these codes entered in.// Enter info into complaint.$username2 = htmlentities($username, ENT_QUOTES);$date2 = htmlentities($date, ENT_QUOTES);$s_driver2 = htmlentities($s_driver, ENT_QUOTES);$r_driver2 = htmlentities($r_driver, ENT_QUOTES);$track2 = htmlentities($track, ENT_QUOTES);$lap2 = htmlentities($lap, ENT_QUOTES);$replay2 = htmlentities($replay, ENT_QUOTES);$comments2 = htmlentities($comments, ENT_QUOTES);$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments) VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error()); Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted May 28, 2006 Share Posted May 28, 2006 Instead of using htmlentities(), use the mysql_real_escape_string() function.[code]<?php$username = mysql_real_escape_string($username,);$date = mysql_real_escape_string($date);$s_driver = mysql_real_escape_string($s_driver);$r_driver = mysql_real_escape_string($r_driver);$track = mysql_real_escape_string($track);$lap = mysql_real_escape_string($lap);$replay = mysql_real_escape_string($replay);$comments = mysql_real_escape_string($comments);$sql = mysql_query("INSERT INTO complaint (username, date, s_driver, r_driver, sim_mod, track, lap, replay, comments)VALUES('$username', '$date', '$s_driver', '$r_driver', '$sim_mod', '$track', '$lap', '$replay', '$comments')" ) or die (mysql_error());?>[/code]Ken Quote Link to comment Share on other sites More sharing options...
RSprinkel Posted May 28, 2006 Author Share Posted May 28, 2006 Ok I got it to workI had an additional ?> at the end of the sql insert stuff and then another one at the end of the script.THANKS ALL For the HELP. VERY MUCH APPRECIATEDI will be back with more questions soon [img src=\"style_emoticons/[#EMO_DIR#]/wink.gif\" style=\"vertical-align:middle\" emoid=\":wink:\" border=\"0\" alt=\"wink.gif\" /] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.