bladechob Posted October 31, 2008 Share Posted October 31, 2008 Having had a rather nasty experience with magic quotes, I need to do some serious slashing (hallow'een and all) no problem with `clientnotes` = '$notes2', to `clientnotes` = '".addslashes($notes2)."' but what's the convention for applying it to say: value="<? echo $hotel_add2?>" - thanks Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 31, 2008 Share Posted October 31, 2008 Like this? value="<?php echo addslashes($hotel_add2); ?>" Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Tried that one little guy and it didn't work - well didn't write to the database in any case - I must be missing some code voodoo somewhere Quote Link to comment Share on other sites More sharing options...
runnerjp Posted October 31, 2008 Share Posted October 31, 2008 its basicly addslashes($data) you should look here http://uk.php.net/addslashes Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Thanks but I've tried the basics and they don't work for me on a new server that is not running magic quotes Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted October 31, 2008 Share Posted October 31, 2008 Magic quotes has nothing to do with the addslashes() function. But you shouldn't be using addslashes(), you should be using myslq_real_escape_string(), since it will escape more than just the single quote. Ken Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 31, 2008 Share Posted October 31, 2008 why not do this: $query = sprintf("INSERT INTO tableName (`clientnotes`, `clientnotes`) VALUES ('%s','%s')", mysql_real_escape_string($_POST['notes2']), mysql_real_escape_string($_POST['notes2'])); mysql_query($query); %s is a type specifier for string here are more type specifiers: http://us2.php.net/sprintf Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Thanks Ken - I thought magic quotes was there to auto handle quotes and stuff - anyway tried the sql bit and that hasn't worked either... Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted October 31, 2008 Share Posted October 31, 2008 Can we see all of your code? Ken Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Not a pretty site (sight) but here you go with what I've inherited: <? session_start(); ?> <html> <!-- Creation date: 14/08/2003 --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title></title> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="author" content="Lathyrus Ltd"> <meta name="generator" content="AceHTML 5 Pro"> <link rel="StyleSheet" type="text/css" href="style.css"> </head> <body leftmargin="0" marginwidth="0" topmargin="0" marginheight="0"> <? require_once("cfg.php"); require_once($CFG->include_dir . "/config.php"); require_once($CFG->include_dir . "/weblib.php"); require_once($CFG->include_dir . "/dblib.php"); if (isset ($hotelname)){ $postcode=strtoupper($postcode); dbconnect(); $query = "UPDATE `venue_main` SET `name` = '$hotelname', `groupname` = '$hotelgroup', `address1` = '$addline1', `address2` = '$addline2', `address3` = '$addline3', `town` = '$town', `county` = '$county', `postcode` = '$postcode', `country` = '$countrynew', `tel_main` = '$telmain', `tel_res` = '$telres', `tel_conf` = '$telcon', `fax_main` = '$faxmain', `fax_res` = '$faxres', `fax_conf` = '$faxcon', `email_main` = '$emailmain', `email_res` = '$emailres', `website` = '$website', `preferred`='$preferred', `blacklisted`='$blacklist', `noncomm`='$noncomm', `email_conf` = '$emailcon' WHERE `hotelid` = '$hotelid' "; //echo $query; $result=mysql_query($query,$conn); } dbconnect(); $query = "select * from venue_main where hotelid='$hotelid' "; $result=mysql_query($query,$conn); $resultsnumber= mysql_num_rows($result); if ($resultsnumber!='0'){ while ($r= mysql_fetch_array($result)) { $hotel_name=$r["name"]; $hotel_group=$r["groupname"]; $hotel_add1=$r["address1"]; $hotel_add2=$r["address2"]; $hotel_add3=$r["address3"]; $hotel_town=$r["town"]; $hotel_county=$r["county"]; $hotel_postcode=$r["postcode"]; $hotel_country=$r["country"]; $hotel_tel_main=$r["tel_main"]; $hotel_tel_res=$r["tel_res"]; $hotel_tel_conf=$r["tel_conf"]; $hotel_fax_main=$r["fax_main"]; $hotel_fax_res=$r["fax_res"]; $hotel_fax_conf=$r["fax_conf"]; $hotel_email_main=$r["email_main"]; $hotel_email_res=$r["email_res"]; $hotel_email_conf=$r["email_conf"]; $hotel_website=$r["website"]; $hotel_preferred=$r["preferred"]; $blacklisted=$r['blacklisted']; $noncomm=$r['noncomm']; ; } } ?> <table summary="" border="0" width=101% height=100% class=hotel> <td width="40%"> <tr> <td valign=top> <form action="<? echo $_SERVER['PHP_SELF'] . "?hotelid=" . $hotelid;?>" method="post"> <input type="hidden" name="newvenue" value="1"> <table summary="" border="0"> <tr> <td><strong>Commission?</strong> Yes <input type="radio" name="noncomm" value="Y" <? if($noncomm=='Y')echo 'checked';?>> No <input type="radio" name="noncomm" value="N" <? if($noncomm=='N')echo 'checked';?>></td> <td width="60%" align="right"><div align="right"><a href="javascript:history.go(-1)"><b> Back 1 step</b></a></div></td></tr> <tr> <td>Hotel Code</td> <td><? echo $hotelid?> Blacklisted? Yes<input type="radio" name="blacklist" value="Y" <? if($blacklisted=='Y')echo 'checked';?>> No<input type="radio" name="blacklist" value="N" <? if($blacklisted=='N')echo 'checked';?>></td> </tr> <td>Preferred by? </td> <td><textarea name="preferred" cols="30"><? echo $hotel_preferred?></textarea></td> </tr> <tr> <td>Hotel Name</td> <td><input type="text" name="hotelname" size="30" maxlength="256" value="<? echo $hotel_name?>"></td> </tr> <tr> <td>Hotel Group</td> <td><select name="hotelgroup"> <? $queryu = "select groupname from venue_main group by groupname "; $resultu=mysql_query($queryu,$conn); while ($r= mysql_fetch_array($resultu)) { ?> <option value="<? echo $r["groupname"]; ?>" <? if ($r["groupname"]==$hotel_group|| $r["groupname"]==$searchgroup){echo ' selected';}?>><? echo $r["groupname"]; ?></option> <? }?> </select> <? /* $queryu = "select list from lists where name='groups' "; $resultu=mysql_query($queryu,$conn); $list=mysql_result($resultu,0,0); $list = preg_replace("/(\015\012)|(\015)|(\012)/","@",$list); $list_array=explode ("@", $list); $count=count($list_array); for ($loopi=0;$loopi<$count;++$loopi){ $thixx=$list_array[$loopi];?> <option <? if ($thixx==$hotelgroup||$thixx=$searchgroup){echo ' selected';}?>> <? echo $list_array[$loopi];?></option> <? }?> </select>*/ ?> <input type="text" name="hotelgroupnew" size="30" maxlength="256" value="<? echo $hotelgroupnew?>"></td> </tr> <tr> <td valign=top>Address</td> <td><input type="text" name="addline1" size="30" maxlength="256" value="<? echo $hotel_add1?>"><br> <input type="text" name="addline2" size="30" maxlength="256" value="<? echo $hotel_add2)?>"><br> <input type="text" name="addline3" size="30" maxlength="256" value="<? echo $hotel_add3?>"></td> </tr> <tr> <td>Town</td> <td><input type="text" name="town" size="30" maxlength="256" value="<? echo $hotel_town?>"></td> </tr> <tr> <td>County/State</td> <td><input type="text" name="county" size="30" maxlength="256" value="<? echo $hotel_county?>"></td> </tr> <tr> <td>Postcode</td> <td><input type="text" name="postcode" size="30" maxlength="256" value="<? echo $hotel_postcode?>"> <a href="http://www.multimap.com/map/browse.cgi?client=public&db=pc&addr1=&client=public&addr2=&advanced=&addr3=&pc=<? echo $hotel_postcode?>&quicksearch=tn33+9eu&cidr_client=none" target=map>Map</a></td> </tr> <tr> <td>Country</td> <td><!-- <select name="country"> <? $queryu = "select list from lists where name='countries' "; $resultu=mysql_query($queryu,$conn); $list=mysql_result($resultu,0,0); $list = preg_replace("/(\015\012)|(\015)|(\012)/","@",$list); $list_array=explode ("@", $list); $count=count($list_array); for ($loopi=0;$loopi<$count;++$loopi){ $thixx=$list_array[$loopi];?> <option <? if ($thixx==$unit){echo ' selected';}?>> <? echo $list_array[$loopi];?></option> <? }?> </select> --><input type="text" name="countrynew" size="30" maxlength="256" value="<? echo $hotel_country?>"></td> </tr> <tr> <td>Website</td> <td><p> <input type="text" name="website" size="30" maxlength="256" value="<? echo $hotel_website?>"> <a href="http://<? echo $hotel_website?>" target="web">Go</a></p> </td> </tr> <tr><td colspan=2><hr></td> </tr> </tr> <tr><td colspan=2> <table summary="" border="0"> <tr> <td></td> <td>Main</td> <td>Reservations</td> <td>Conferences</td> </tr> <tr> <td>Telephone</td> <td><input type="text" name="telmain" size="15" maxlength="256" value="<? echo $hotel_tel_main?>"></td> <td><input type="text" name="telres" size="15" maxlength="256" value="<? echo $hotel_tel_res?>"></td> <td><input type="text" name="telcon" size="15" maxlength="256" value="<? echo $hotel_tel_conf?>"></td> </tr> <tr> <td>Fax</td> <td><input type="text" name="faxmain" size="15" maxlength="256" value="<? echo $hotel_fax_main?>"></td> <td><input type="text" name="faxres" size="15" maxlength="256" value="<? echo $hotel_fax_res?>"></td> <td><input type="text" name="faxcon" size="15" maxlength="256" value="<? echo $hotel_fax_conf?>"></td> </tr> <tr> <td>Email</td> <td><input type="text" name="emailmain" size="15" maxlength="256" value="<? echo $hotel_email_main?>"></td> <td><input type="text" name="emailres" size="15" maxlength="256" value="<? echo $hotel_email_res?>"></td> <td><input type="text" name="emailcon" size="15" maxlength="256" value="<? echo $hotel_email_conf?>"></td> </tr> </table> </td> </tr> <tr> <td> </td> <td valign="bottom"><input type="submit" value="Save"></td> </tr></form></td> </tr> <tr> <td> </table> </td> </tr> </table> </body> </html> Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted October 31, 2008 Share Posted October 31, 2008 This code was written when register_globals was enabled by default. If register_globals is not enabled (like it should be set), this code will not work as written. As for your other question about how to escape quotes in a value attribute, you need to use the function htmlentities() value="<?php echo htmlentities($_POST['hotel_add2'],ENT_QUOTES) ?>" Ken Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Thanks Ken I'll have a play and see how much damage I can muster... Quote Link to comment Share on other sites More sharing options...
bladechob Posted October 31, 2008 Author Share Posted October 31, 2008 Chaps problem solved - coding was not a problem winscp was! pages were not being updated although they said they were - probably explains why things have gone a bit pumpkin faced in the past. Anyway thanks very much, nice to have a forum where people make the effort. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.