daveoffy Posted February 28, 2009 Share Posted February 28, 2009 I have a form and when someone types /, <, > I want it so when they hit submit those just go away and are replaced with a space or something. Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/ Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 $str = str_replace(array('/','<','>'), '', $str); Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773517 Share on other sites More sharing options...
daveoffy Posted March 1, 2009 Author Share Posted March 1, 2009 How will I use that. Will I put it in the file with the form, or the file with the proccessing of the form. Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773519 Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 In the file processing the form. $str represents that value you want cleaned. Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773523 Share on other sites More sharing options...
daveoffy Posted March 1, 2009 Author Share Posted March 1, 2009 I want it to clean out the $sitename I have. $sitename = $_POST['sitename']; I will change $str to $sitename? I have this so tell me where to add that code, or what to modify <?php session_start(); include 'config.php'; $errmsg_arr = array(); $errflag = false; $sitename = $_POST['sitename']; $username = $_COOKIE['username']; if($sitename == ''){ $errmsg_arr[] = 'Please enter a site name!'; $errflag = true; } if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ../editor.php"); exit(); } $sql = "SELECT * FROM users WHERE username = '$username'"; $sqlresult = mysql_query ($sql); while ($row = mysql_fetch_array($sqlresult)) $id = $row['id']; $qry = "INSERT INTO site (id, site) VALUES('$id', '$sitename')"; $result = @mysql_query($qry); if($result) { mkdir('../sites/'.$username.'/'.$sitename); header("location: ../editor.php"); $errmsg_arr[] = 'New site added!'; $errflag = true; }else { echo mysql_error(); die("Query failed"); } if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: ../editor.php"); exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773546 Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 Replace.... $sitename = $_POST['sitename']; with.... $sitename = str_replace(array('/','<','>'), '', $_POST['sitename']); $sitename = mysql_real_escape_string($sitename); Notice you also need to escape variables before putting them in any sql queries. Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773554 Share on other sites More sharing options...
daveoffy Posted March 1, 2009 Author Share Posted March 1, 2009 should I make all data that users pick that go into the database have escape string? Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773558 Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 should I make all data that users pick that go into the database have escape string? Yes. All user inputted data that is to be used within queries should be escaped using mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/147363-solved-disable-and/#findComment-773606 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.