Number sign in Textarea Field causing php problems

[creativeimpact]

How do I allow a user to place a number sign in a textarea field and have php deal with it?

[Psycho]

The only reason it might be a problem would be depending on how you are using the text area value. Without knowing how you are using it and the error you are getting it is difficult to help you. Provide more info please.

[creativeimpact]

form field looks like:

 

<textarea id="description" name="description" cols="50" rows="10" wrap="virtual"><?php echo $_REQUEST['description'] ?></textarea>

 

When it is put into database it drops everything after the user's input of of a number sign

 

my input for mysql is :

 

$username = $_SESSION['user_logged'];

$category = "null";

$title = $_POST['title'];

$description = $_POST['description'];

$item_condition = $_POST['item_condition'];

$price_ask = $_POST['price_ask'];

$price_ask = str_replace('$', '', $price_ask);

$price_purchase = $_POST['price_purchase'];

$price_purchase = str_replace('$', '', $price_purchase);

$qty = $_POST['qty'];

$contactby = $_POST['contactby'];

$image = $uploadedimg;

$date = date("Y-m-d");

$sold = 'no';

$paid = 'no';

$sql = "INSERT INTO listings (listing_id, username, title, description, item_condition, price_ask, price_purchase, qty, contactby, image, date, sold, paid)

VALUES ('$new_id', '$username', '$title', '".$_POST['description']."', '$item_condition', '$price_ask', '$price_purchase', '$qty', '$contactby', '$image', '$date', '$sold', '$paid')";

 

 

 

ALSO, I just noticed that an apostrophe the text field is not allowing my php code to excute. I thought there was a build in function for $_Post to add slashes????

[Psycho]

You should ALWAYS use mysql_real_escape_string() on ALL[/b[ user data being used in a query. It will prevent the error you are having and more importantly it will prevent malicious users from utilizing SQL injection!

 

$username       = mysql_real_escape_string($_SESSION['user_logged']);
$category       = "null";
$title          = mysql_real_escape_string($_POST['title']);
$description    = mysql_real_escape_string($_POST['description']);
$item_condition = mysql_real_escape_string($_POST['item_condition']);
$price_ask      = mysql_real_escape_string(str_replace('$', '', $_POST['price_ask']));
$price_purchase = mysql_real_escape_string(str_replace('$', '', $_POST['price_purchase']));
$qty            = mysql_real_escape_string($_POST['qty']);
$contactby      = mysql_real_escape_string($_POST['contactby']);
$image          = $uploadedimg;
$date           = date("Y-m-d");
$sold           = 'no';
$paid           = 'no';

$sql = "INSERT INTO listings
            (listing_id, username, title, description, item_condition, price_ask,
             price_purchase, qty, contactby, image, date, sold, paid)
        VALUES ('$new_id', '$username', '$title', '$description', '$item_condition', '$price_ask',
                '$price_purchase', '$qty', '$contactby', '$image', '$date', '$sold', '$paid')";

[hobeau]

A couple things to mention. First, your using $_REQUEST to get your value. It is much better to use $_GET or $_POST to get your data as this can open you up to variable injection vulnerabilities. Next, your not sanitizing any of your data. You are assuming that anything that comes from the server is ok and that no validation is required. So for instance, instead of just assigning the $_POST['price_ask'] to the $price_ask variable, why not have an 'if' statement that verifies that the string passed in is a valid number?

 

<?php
if (is_numeric($_POST['price_ask']))
{
     $price_ask = $_POST['price_ask'];
}
?>

 

This may seem like more work up front but once you start to realize how easy SQL injection is, you will be more apt to sanitize your data. Next, you are concatenating your variables directly into your sql string without escaping them. I'm assuming you mean the dollar sign ($) isn't working instead of the number sign (#) as the number sign shouldn't be a problem. The number sign however, denotes to php that a variable follows especially when you are using double quotes. Also, the single quote typed into your textbox is breaking your code also because of the fact that it is concatenating the 'end' of the string. For instance, say I have a query:

 

<?php
$sql = "INSERT INTO table (column1, column2) VALUES('$item1', '$item2')";
?>

 

Lets say for example that $item1 and $item2 comes from a text area and I type [i love O'Reilly books] in $item1 and

 into $item2 (minus the brackets) into the textarea. When that is concatenated into the sql query, it looks like this:


[code]

<?php

$sql = "INSERT INTO table (column1, column2) VALUES('I love O'Reilly books', 'php isn't just a language, it's a GREAT language')";

?>

[/code]

 

So you can see that the first string is 'I love O' <- and at that point the string is terminated and the other characters are invalid in the SQL query. So what you need to do is the following:

 

[code]
<?php
$item1 = mysql_escape_string($item1);
$item2 = mysql_escape_string($item2);

$sql = "INSERT INTO table (column1, column2) VALUES('$item1', '$item2')";
?>
[/code]

 

This produces the following:

 

[code]
<?php
$sql = "INSERT INTO table (column1, column2) VALUES('I love O\'Reilly books', 'php isn\'t just a language, it\'s a GREAT language')";
?>
[/code]

 

This adds the backslash to the single quote which in mysql is the string escape sequence for adding what is called a 'string literal' or literally a quote within quotes without terminating the string. In microsoft SQL the escape sequence is a double-single quote ('') or a double-double quote (""). This is not only important for you to be able to run your code without it breaking, it also wards off sql injection (http://en.wikipedia.org/wiki/SQL_injection). Please read up on SQL injection as it is VERY VERY important to you as a web developer. Right now, this code is ridiculously easy to access literally your entire database and everything in it and to control it in almost any way a hacker would like (depending on how your user permissions are setup for this particular user). I hope this helps!!!

[hobeau]

Woops, looks like you beat me to it mjdamato. Keep preaching the security gospel!