Jump to content

Escape issue with MySQL insert

immanuelx2

By immanuelx2
in PHP Coding Help

 Share

Recommended Posts

immanuelx2 Member

immanuelx2

Posted
Posted

Hey guys.

 

I have a piece of code that puts the contents of a textbox into a mysql database:

 

<?php
mysql_query("INSERT INTO articles VALUES(NULL, ".input($_POST['articlecategory']).", ".input($_POST['articletitle']).", NULL, ".input($_POST['articletext']).", ".input($_SESSION['user_id']).", UNIX_TIMESTAMP(), '0')")

 

And here is the input function

 

<?php
function input($value)
{
if (get_magic_quotes_gpc()) $value = stripslashes($value);
if (!is_numeric($value)) $value = "'" . mysql_real_escape_string($value) . "'";
return $value;
}

 

Now the problem is, if there is a double quote inside the $_POST['articletitle'] variable, it only inputs the contents until the first double quote is reached. However, there are no problems with single quotes.

 

Now the weird thing is, that only has a problem with textbox contents.  The $_POST['articletext'] can have single or double quotes with no problems!

 

Any help is greatly appreciated!

Link to comment
Share on other sites
immanuelx2 Member

immanuelx2

Posted
  • Author
Posted

How do you know - "it only inputs the contents until the first double quote is reached"

 

It's likely you have a problem when you output it onto a web page. What does a "view source" of the output look like?

 

Say the following is true:

 

<?php
$_POST['articletitle'] = 'This is my "article"';

 

After the insert, if I look in the MySQL table, I only get 'This is my '

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted 

<?php


$value= 'This is my "article"';
function input($value)
{
if (get_magic_quotes_gpc()){ $value = stripslashes($value);}
if (!is_numeric($value)){ $value = "'" . mysql_real_escape_string($value) . "'";}
   return $value;
}
echo $value;
?>

 

gives me:

 

'This is my "article"'

 

 

Link to comment
Share on other sites
immanuelx2 Member

immanuelx2

Posted
  • Author
Posted 

<?php


$value= 'This is my "article"';
function input($value)
{
if (get_magic_quotes_gpc()){ $value = stripslashes($value);}
if (!is_numeric($value)){ $value = "'" . mysql_real_escape_string($value) . "'";}
   return $value;
}
echo $value;
?>

 

gives me:

 

'This is my "article"'

 

 

 

a) you are not even using the function

b) you are not using it in a query

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The only one here that can actually troubleshoot what is happening on your server with your form, with your php code, and with your database is you. So, what you have done to pin down what is happening?

 

Have you echoed the $_POST data? Have you echoed the query string after the variables have been populated (you should be forming the query in a variable so that you can echo it)?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.