[SOLVED] Aargh! - escaping, magic_quotes, slashes, quote marks - I don't understand

[cclark40]

Hi Folks,

 

What I want to do is very simple but I am falling foul of escaping characters...

 

I have some html/php forms where users update data in the database.  It all works well until someone tries put in a name like Rick o'shea and then one of two things happen...

 

1. On a form that is located in the root directory it goes in OK but when they go back to update the form again the textbox should be populated with the current value from the database but it says Rick o'

2. On a form that is located in a password-protected sub-directory it puts Rick o\'shea in and when they go back to update the form again the textbox should be populated with the current value from the database but it says Rick o\

 

Do I need to do something extra with .htaccess (currently just defines index.php as homepage)? What ? and will it correct the problem for the sub-directory as well as the root?

 

Many Thanks in advance

[radalin]

You have to user mysql_real_escape_string or equivalent to escape strings when sending queries to database.

 

I'm not sure if you have to escape for the folders or not.

 

Also check that in html you are setting html attributes with double quotes and not single quotes.

 

And of course, use a proper subject please

[cclark40]

I am using

 

$event1winnerupdate =mysql_real_escape_string($_POST['event1winnerupdate']);

 

to define the variables that I then use in

 

$query1="UPDATE tournamentevents SET

eventwinner='$event1winnerupdate' WHERE....  "

 

is that what you mean or am I missing something...?

 

 

[radalin]

If you use like that, your variable is an escaped variable. If you are using something like:

 

$event1winnerupdate = mysql_real_escape_string($_POST['event1winnerupdate']);

$query1="UPDATE tournamentevents SET
eventwinner='$event1winnerupdate' WHERE....  ";

create_folder($event1winnerupdate);

 

you are sending an escaped string to create folders. What you should do is something like this:

 

$event1winnerupdate = $_POST['event1winnerupdate'];

$query1="UPDATE tournamentevents SET eventwinner='" . mysql_real_escape_string($event1winnerupdate) . "' WHERE....  ";

create_folder($event1winnerupdate);

 

So the folder name you have created is not escaped.

[Mchl]

Still, folder name should be checked for invalid characters before creating.

[cclark40]

OK - removing the "mysql_real_escape_string" makes it work OK for uploading data.

 

It now populates the box with Rick o    when you go back in to make another update

 

echo "<input type='text' name='event1winnerupdate'  value='$event1data[10]'  size='30' maxlength='40'>";

 

I understand that the problem lies in the use of single quotes as it sees value='rick o'shea' hence thinks that quote mark ends the string but how do I get round this because using double quote value="$event1data[10]" confuses the echo "......

[Mchl]

echo "<input type='text' name='event1winnerupdate'  value='".addslashes($event1data[10])."'  size='30' maxlength='40'>";

[cclark40]

OK I've cracked it by using " in my echo statement and escaping it with \

 

echo "<input type='text' name='event1third1update'  value=\"$event1data[14]\"  size='30' maxlength='40'>";

 

Just a find and replace and away I go - Thanks Guys!!

[radalin]

echo '<input type="text" name="event1winnerupdate"  value="' . $event1data[10] . '"  size="30" maxlength="40">';

 

is ok too.