[SOLVED] just a quicky on addslashes

[bladechob]

Having had a rather nasty experience with magic quotes, I need to do some serious slashing (hallow'een and all) no problem with

`clientnotes` = '$notes2', to `clientnotes` = '".addslashes($notes2)."'

but what's the convention for applying it to say:

value="<? echo $hotel_add2?>"

- thanks

[The Little Guy]

Like this?

 

value="<?php echo addslashes($hotel_add2); ?>"

[bladechob]

Tried that one little guy and it didn't work - well didn't write to the database in any case - I must be missing some code voodoo somewhere

[runnerjp]

 

its basicly addslashes($data)

 

you should look here http://uk.php.net/addslashes

[bladechob]

Thanks but I've tried the basics and they don't work for me on a new server that is not running magic quotes

[kenrbnsn]

Magic quotes has nothing to do with the addslashes() function. But you shouldn't be using addslashes(), you should be using myslq_real_escape_string(), since it will escape more than just the single quote.

 

Ken

[The Little Guy]

why not do this:

 

$query = sprintf("INSERT INTO tableName (`clientnotes`, `clientnotes`) VALUES ('%s','%s')", mysql_real_escape_string($_POST['notes2']), mysql_real_escape_string($_POST['notes2'])); 
mysql_query($query);

%s is a type specifier for string

here are more type specifiers: http://us2.php.net/sprintf

[bladechob]

Thanks Ken - I thought magic quotes was there to auto handle quotes and stuff - anyway tried the sql bit and that hasn't worked either...

[kenrbnsn]

Can we see all of your code?

 

Ken

[bladechob]

Not a pretty site (sight) but here you go with what I've inherited:

<? session_start(); ?>
<html>
<!-- Creation date: 14/08/2003 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Lathyrus Ltd">
<meta name="generator" content="AceHTML 5 Pro">
<link rel="StyleSheet" type="text/css" href="style.css">
</head>
<body  leftmargin="0" marginwidth="0" topmargin="0" marginheight="0">
<?
require_once("cfg.php");
require_once($CFG->include_dir . "/config.php");
require_once($CFG->include_dir . "/weblib.php");
require_once($CFG->include_dir . "/dblib.php");
if (isset ($hotelname)){
$postcode=strtoupper($postcode);

dbconnect(); 
$query = "UPDATE `venue_main` SET `name` = '$hotelname',
`groupname` = '$hotelgroup',
`address1` = '$addline1',
`address2` = '$addline2',
`address3` = '$addline3',
`town` = '$town',
`county` = '$county',
`postcode` = '$postcode',
`country` = '$countrynew',
`tel_main` = '$telmain',
`tel_res` = '$telres',
`tel_conf` = '$telcon',
`fax_main` = '$faxmain',
`fax_res` = '$faxres',
`fax_conf` = '$faxcon',
`email_main` = '$emailmain',
`email_res` = '$emailres',
`website` = '$website',
`preferred`='$preferred', 
`blacklisted`='$blacklist',
`noncomm`='$noncomm', 
`email_conf` = '$emailcon' WHERE `hotelid` = '$hotelid'  ";
//echo $query;
$result=mysql_query($query,$conn);
}

dbconnect(); 
$query = "select * from venue_main where hotelid='$hotelid' ";
$result=mysql_query($query,$conn);
$resultsnumber= mysql_num_rows($result);
if ($resultsnumber!='0'){
while ($r= mysql_fetch_array($result)) {
$hotel_name=$r["name"];
$hotel_group=$r["groupname"];
$hotel_add1=$r["address1"];
$hotel_add2=$r["address2"];
$hotel_add3=$r["address3"];
$hotel_town=$r["town"];
$hotel_county=$r["county"];
$hotel_postcode=$r["postcode"];
$hotel_country=$r["country"];
$hotel_tel_main=$r["tel_main"];
$hotel_tel_res=$r["tel_res"];
$hotel_tel_conf=$r["tel_conf"];
$hotel_fax_main=$r["fax_main"];
$hotel_fax_res=$r["fax_res"];
$hotel_fax_conf=$r["fax_conf"];
$hotel_email_main=$r["email_main"];
$hotel_email_res=$r["email_res"];
$hotel_email_conf=$r["email_conf"];
$hotel_website=$r["website"];
$hotel_preferred=$r["preferred"];
$blacklisted=$r['blacklisted'];
$noncomm=$r['noncomm'];
;
}
}
?>
<table summary="" border="0" width=101% height=100% class=hotel>
  <td width="40%">
  <tr>
    <td valign=top>
<form action="<? echo $_SERVER['PHP_SELF'] . "?hotelid=" . $hotelid;?>" method="post">
<input type="hidden" name="newvenue" value="1">
<table summary="" border="0">
<tr>
  <td><strong>Commission?</strong> Yes 
    <input type="radio" name="noncomm" value="Y" <? if($noncomm=='Y')echo 'checked';?>> 
    No 
    <input type="radio" name="noncomm" value="N" <? if($noncomm=='N')echo 'checked';?>></td>
  <td width="60%" align="right"><div align="right"><a href="javascript:history.go(-1)"><b>
    Back 1 step</b></a></div></td></tr>
  <tr>
    <td>Hotel Code</td>
        <td><? echo $hotelid?> Blacklisted? Yes<input type="radio" name="blacklist" value="Y" <? if($blacklisted=='Y')echo 'checked';?>> 
          No<input type="radio" name="blacklist" value="N" <? if($blacklisted=='N')echo 'checked';?>></td>
  </tr>
        <td>Preferred by? </td>
          <td><textarea name="preferred" cols="30"><? echo $hotel_preferred?></textarea></td>
        </tr>
  <tr>
    <td>Hotel Name</td>
    <td><input type="text" name="hotelname" size="30" maxlength="256" value="<? echo $hotel_name?>"></td>
  </tr>
  <tr>
    <td>Hotel Group</td>
    <td><select name="hotelgroup">
<?
$queryu = "select groupname from venue_main group by groupname ";
$resultu=mysql_query($queryu,$conn);	
while ($r= mysql_fetch_array($resultu)) {	?>
<option value="<? echo $r["groupname"]; ?>" <? if ($r["groupname"]==$hotel_group|| $r["groupname"]==$searchgroup){echo ' selected';}?>><? echo $r["groupname"]; ?></option>
<? }?>	
</select>
<?
/*
$queryu = "select list from lists where name='groups' ";
$resultu=mysql_query($queryu,$conn);
$list=mysql_result($resultu,0,0);
$list = preg_replace("/(\015\012)|(\015)|(\012)/","@",$list); 
$list_array=explode ("@", $list);
$count=count($list_array);
for ($loopi=0;$loopi<$count;++$loopi){
$thixx=$list_array[$loopi];?>
<option <? if ($thixx==$hotelgroup||$thixx=$searchgroup){echo ' selected';}?>> <? echo $list_array[$loopi];?></option>
<? }?>
</select>*/ ?>
<input type="text" name="hotelgroupnew" size="30" maxlength="256" value="<? echo $hotelgroupnew?>"></td>
  </tr>
  
  <tr>
    <td valign=top>Address</td>
    <td><input type="text" name="addline1" size="30" maxlength="256" value="<? echo $hotel_add1?>"><br>
<input type="text" name="addline2" size="30" maxlength="256" value="<? echo $hotel_add2)?>"><br>
<input type="text" name="addline3" size="30" maxlength="256" value="<? echo $hotel_add3?>"></td>
  </tr>
  <tr>
    <td>Town</td>
    <td><input type="text" name="town" size="30" maxlength="256" value="<? echo $hotel_town?>"></td>
  </tr>
      <tr>
    <td>County/State</td>
    <td><input type="text" name="county" size="30" maxlength="256" value="<? echo $hotel_county?>"></td>
  </tr>
    <tr>
    <td>Postcode</td>
    <td><input type="text" name="postcode" size="30" maxlength="256" value="<? echo $hotel_postcode?>"> <a href="http://www.multimap.com/map/browse.cgi?client=public&db=pc&addr1=&client=public&addr2=&advanced=&addr3=&pc=<? echo $hotel_postcode?>&quicksearch=tn33+9eu&cidr_client=none" target=map>Map</a></td>
  </tr>
    <tr>
    <td>Country</td>
    <td><!-- <select name="country">
<?
$queryu = "select list from lists where name='countries' ";
$resultu=mysql_query($queryu,$conn);
$list=mysql_result($resultu,0,0);
$list = preg_replace("/(\015\012)|(\015)|(\012)/","@",$list); 
$list_array=explode ("@", $list);
$count=count($list_array);
for ($loopi=0;$loopi<$count;++$loopi){
$thixx=$list_array[$loopi];?>
<option <? if ($thixx==$unit){echo ' selected';}?>> <? echo $list_array[$loopi];?></option>
<? }?>
</select> --><input type="text" name="countrynew" size="30" maxlength="256" value="<? echo $hotel_country?>"></td>
  </tr>
      <tr>
    <td>Website</td>
    <td><p>
      <input type="text" name="website" size="30" maxlength="256" value="<? echo $hotel_website?>"> 
      <a href="http://<? echo $hotel_website?>" target="web">Go</a></p>      </td>
  </tr>
  <tr><td colspan=2><hr></td>
  </tr>
    </tr>
  <tr><td colspan=2>
  <table summary="" border="0">
    <tr>
    <td></td>
    <td>Main</td>
    <td>Reservations</td>
    <td>Conferences</td>
  </tr>
  <tr>
    <td>Telephone</td>
<td><input type="text" name="telmain" size="15" maxlength="256" value="<? echo $hotel_tel_main?>"></td>
<td><input type="text" name="telres" size="15" maxlength="256" value="<? echo $hotel_tel_res?>"></td>
<td><input type="text" name="telcon" size="15" maxlength="256" value="<? echo $hotel_tel_conf?>"></td>
  </tr>
  <tr>
    <td>Fax</td>
<td><input type="text" name="faxmain" size="15" maxlength="256" value="<? echo $hotel_fax_main?>"></td>
<td><input type="text" name="faxres" size="15" maxlength="256" value="<? echo $hotel_fax_res?>"></td>
<td><input type="text" name="faxcon" size="15" maxlength="256" value="<? echo $hotel_fax_conf?>"></td>
  </tr>
  <tr>
    <td>Email</td>
<td><input type="text" name="emailmain" size="15" maxlength="256" value="<? echo $hotel_email_main?>"></td>
<td><input type="text" name="emailres" size="15" maxlength="256" value="<? echo $hotel_email_res?>"></td>
<td><input type="text" name="emailcon" size="15" maxlength="256" value="<? echo $hotel_email_conf?>"></td>
  </tr>
</table>
  </td>
  </tr>
        <tr>
    <td> </td>
    <td valign="bottom"><input type="submit" value="Save"></td>
      </tr></form></td>
  </tr>
  <tr>
    <td>    
</table>
</td>
  </tr>
</table>

</body>
</html>

[kenrbnsn]

This code was written when register_globals was enabled by default. If register_globals is not enabled (like it should be set), this code will not work as written.

 

As for your other question about how to escape quotes in a value attribute, you need to use the function htmlentities()

 

value="<?php echo htmlentities($_POST['hotel_add2'],ENT_QUOTES) ?>"

 

Ken

[bladechob]

Thanks Ken I'll have a play and see how much damage I can muster...

[bladechob]

Chaps problem solved - coding was not a problem winscp was! pages were not being updated although they said they were - probably explains why things have gone a bit pumpkin faced in the past. Anyway thanks very much, nice to have a forum where people make the effort.