TGWSE_GY Posted September 23, 2009 Share Posted September 23, 2009 Hi guys, I am working on this script and it doesn't seem to be adding slashes to the content before it inserts into the database and it is taking special characters like ' and changing them to ? can someone help me please? Here is my code <?php $dbhost = "***********"; $dbuser = "***********"; $dbpass = "***********"; $dbname = "innonmainnj"; $tblrooms = "rooms"; $tbllocations = "directions"; $tblhome = "home"; $tblaccommodations = "accommodations"; $tblreservations = "reservations"; $tblrestaurant = "restaurant"; mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $identity = $_POST['identity']; if($identity == "1"){ $description = addslashes($_POST['accommodations']); $query = "UPDATE accommodations SET column2='$description' WHERE id=1"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3"); }elseif($identity=="2"){ $content = addslashes($_POST['content']); echo $content; die(); $promotitle = addslashes($_POST['promotitle']); $promo = addslashes($_POST['promo']); $address1 = addslashes($_POST['address1']); $address2 = addslashes($_POST['address2']); $phone = addslashes($_POST['phone']); $query = "UPDATE `home` SET content='$content', promotitle='$promotitle', promo='$promo', address1='$address1', address2='$address2', phone='$phone' WHERE id= '1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=1"); }elseif($identity=="3"){ $north = addslashes($_POST['north']); $south = addslashes($_POST['south']); $west = addslashes($_POST['west']); $query = "UPDATE `directions` SET north='$north', south='$south', west='$west WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3"); }elseif($identity=="4"){ $content = addslashes($_POST['description']); $phone1 = addslashes($_POST['phone1']); $phone2 = addslashes($_POST['phone2']); $email = addslashes($_POST['email']); $specialtitle = addslashes($_POST['specialtitle']); $special = addslashes($_POST['special']); $query = "UPDATE `reservations` SET content='$content', phone1='$phone1', phone2='$phone2', email='$email', specialtitle='$specialtitle', special='$special' WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=4"); }elseif($identity=="5"){ $dinner = addslashes($_POST['dinner']); $lunch = addslashes($_POST['lunch']); $brunch = addslashes($_POST['brunch']); $query = "UPDATE `restaurant` SET dinner='$dinner', lunch='$lunch', brunch='$brunch' WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=5"); }elseif($identity != 1){ if($identity != 2){ if($identy != 3){ if($identity != 4){ if($identity !=5 ){ $description = $_POST['description']; $cost = $_POST['cost']; $query = "UPDATE `rooms` SET description='$description' cost='$cost' WHERE roomnumber='$identity'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=$identity"); } } } } } ?> Thanks Again. Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/ Share on other sites More sharing options...
trq Posted September 23, 2009 Share Posted September 23, 2009 Firstly, what makes you believe its not adding the slashes? Secondly, you should be using mysql_real_escape_string instead of addslashes anyway. Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923453 Share on other sites More sharing options...
PFMaBiSmAd Posted September 23, 2009 Share Posted September 23, 2009 Slightly off topic, but you might want to consider using a switch/case statement instead of multiple if/elseif statements as it will make adding options easier and provides a default statement to directly handle cases where the value is not one of the ones being tested. Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923455 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 Thanks PFMaBiSmAdj thanks for the pointer I had it that way but I needed the nested if statements to test. Thanks thorpe I was just always told to you use addslashes() and stripslashes() when do mysql and it has always worked up until this point. And I wasn't "THINKING" that it wasnt working I knew it wasnt because special characters where being converted to question marks (?). So what is the reverse of the real_escape_string() will strip slashes still work to remove them? Thanks Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923461 Share on other sites More sharing options...
trq Posted September 23, 2009 Share Posted September 23, 2009 You don't need to reverse mysql_real_escape_string, just like addslashes it is simply used to escape special chars as data is inserted into the db. mysql_real_esacpe_string escapes more precisely than addslashes however. Of course you should still apply stripslashes to your data before using either addslashes or mysql_real_escape_string if you have magic_quotes_gpc enabled (which you shouldn't). Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923464 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 Ok thanks Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923467 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 Now when things are being returned from the db where there was comma there is a forward slash now that I am using mysql_real_escape_string(). What am I doing wrong. here is my new code <?php mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $identity = $_POST['identity']; if($identity == "1"){ $description = mysql_real_escape_string($_POST['accommodations']); $query = "UPDATE accommodations SET column2='$description' WHERE id=1"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3"); }elseif($identity=="2"){ $content = mysql_real_escape_string($_POST['content']); $promotitle = mysql_real_escape_string($_POST['promotitle']); $promo = mysql_real_escape_string($_POST['promo']); $address1 = mysql_real_escape_string($_POST['address1']); $address2 = mysql_real_escape_string($_POST['address2']); $phone = mysql_real_escape_string($_POST['phone']); $query = "UPDATE `home` SET content='$content', promotitle='$promotitle', promo='$promo', address1='$address1', address2='$address2', phone='$phone' WHERE id= '1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=1"); }elseif($identity=="3"){ $north = mysql_real_escape_string($_POST['north']); $south = mysql_real_escape_string($_POST['south']); $west = mysql_real_escape_string($_POST['west']); $query = "UPDATE `directions` SET north='$north', south='$south', west='$west' WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=3"); }elseif($identity=="4"){ $content = mysql_real_escape_string($_POST['description']); $phone1 = mysql_real_escape_string($_POST['phone1']); $phone2 = mysql_real_escape_string($_POST['phone2']); $email = mysql_real_escape_string($_POST['email']); $specialtitle = mysql_real_escape_string($_POST['specialtitle']); $special = mysql_real_escape_string($_POST['special']); $query = "UPDATE `reservations` SET content='$content', phone1='$phone1', phone2='$phone2', email='$email', specialtitle='$specialtitle', special='$special' WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=4"); }elseif($identity=="5"){ $dinner = mysql_real_escape_string($_POST['dinner']); $lunch = mysql_real_escape_string($_POST['lunch']); $brunch = mysql_real_escape_string($_POST['brunch']); $query = "UPDATE `restaurant` SET dinner='$dinner', lunch='$lunch', brunch='$brunch' WHERE id='1'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=5"); }elseif($identity != 1){ if($identity != 2){ if($identy != 3){ if($identity != 4){ if($identity !=5 ){ $description = $_POST['description']; $cost = $_POST['cost']; $query = "UPDATE `rooms` SET description='$description' cost='$cost' WHERE roomnumber='$identity'"; mysql_query($query) or die(mysql_error()); header("Location: http://www.innonmainmanasquan.com/admin/index.php?section=$identity"); } } } } } ?> Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923470 Share on other sites More sharing options...
trq Posted September 23, 2009 Share Posted September 23, 2009 Do you have magic_quotes_gpc enabled? If so you need to stripslashes first. Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923472 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 Just checked and I don't have magic quotes enabled. Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923473 Share on other sites More sharing options...
trq Posted September 23, 2009 Share Posted September 23, 2009 Are you talking about retrieving data thats already in the db? If you look at your data through phpmyadmin or some other tool is there slashes stored amongst it? Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923475 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 yes there is slashes in the db now Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923476 Share on other sites More sharing options...
trq Posted September 23, 2009 Share Posted September 23, 2009 Your data is broken then. Slashes shouldn't actually be stored in your database. You'll need to run replace quiries to fix it. eg; UPDATE tbl SET fld = REPLACE(fld,'\','') Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923481 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 What are replace querys? Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923490 Share on other sites More sharing options...
TGWSE_GY Posted September 23, 2009 Author Share Posted September 23, 2009 A better question would be how do I ensure my data is not broken when posting to the db? Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923505 Share on other sites More sharing options...
jcombs_31 Posted September 23, 2009 Share Posted September 23, 2009 What are replace querys? He just showed you above a sample replace query. It does exactly that, replaces one string with another. In your case, stripping out the backslashes \ Link to comment https://forums.phpfreaks.com/topic/175207-addslashes-not-working-properly/#findComment-923511 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.