Strip Slashes Help

[busnut]

G'day Guys/Gals, firstly if i've posted this in the wrong section, I apologise.

 

I've got a script that i've downloaded of the net to edit multiple fields from my sql database, and works fine EXCEPT I want to add the strip slashes bit to it so it will save what I type in. However, I tried, and totally cleared 2 fields for all records on my db, so not happy. So here is the script, can anyone help me put the stripslashes bit where it should be please...

 

The stripslashes are important for 'item' and 'description' fields.

 

<?php
"db connection area"
$sql="SELECT * FROM $tbl_name ORDER BY category ASC";
$result=mysql_query($sql);

// Count table rows 
$count=mysql_num_rows($result);
?>
<!--
<FORM method="post" action="<?php echo $PHP_SELF?>">
-->

<p>
<table border='1' cellspacing='0' width='100%' style='border-collapse: collapse' bordercolor='#000000'>
<form name="form1" method="post" action="">

<tr>
<th>Category/Subcategory</th>
<th>Product/Code</th>
<th>Description</th>
<th>Qty/Price 1</th>
<th>Qty/Price 2 </th>
<th>Qty/Price 3 </th>
<th>Qty/Price 4 </th>
<th>Qty/Price 5 </th>
<th>Weight/Status</th>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<? $id[]=$rows['id']; ?>
<td><input name="category[]" type="text" id="category" value="<? echo $rows['category']; ?>" size="30"><br />
  <input name="subcategory[]" type="text" id="subcategory" value="<? echo $rows['subcategory']; ?>" size="30" /></td>
<td><input name="item[]" type="text" id="item" value="<? echo $rows['item']; ?>" size="30"><br />
  <input name="code[]" type="text" id="code" value="<? echo $rows['code']; ?>" size="30" /></td>
<td><textarea name="description[]" cols="40" rows="3" id="description" type="text"><? echo $rows['description']; ?></textarea></td>
<td><input name="qty1[]" type="text" id="qty1" value="<? echo $rows['qty1']; ?>" size="5"><br />
  <input name="price1[]" type="text" id="price1" value="<? echo $rows['price1']; ?>" size="5" /></td>
<td><input name="qty2[]" type="text" id="qty2" value="<? echo $rows['qty2']; ?>" size="5"><br />
  <input name="price2[]" type="text" id="price2" value="<? echo $rows['price2']; ?>" size="5" /></td>
<td><input name="qty3[]" type="text" id="qty3" value="<? echo $rows['qty3']; ?>" size="5"><br />
  <input name="price3[]" type="text" id="price3" value="<? echo $rows['price3']; ?>" size="5" /></td>
<td><input name="qty4[]" type="text" id="qty4" value="<? echo $rows['qty4']; ?>" size="5"><br />
  <input name="price4[]" type="text" id="price4" value="<? echo $rows['price4']; ?>" size="5" /></td>
<td><input name="qty5[]" type="text" id="qty5" value="<? echo $rows['qty5']; ?>" size="5"><br />
  <input name="price5[]" type="text" id="price5" value="<? echo $rows['price5']; ?>" size="5" /></td>
<td><input name="weight[]" type="text" id="weight" value="<? echo $rows['weight']; ?>" size="5"><br />
  <input name="status[]" type="text" id="status" value="<? echo $rows['status']; ?>" size="5" /></td>
</tr>
<?php
}
?>
</table>
<input type="submit" name="Submit" value="Submit" class="button1">
</form>
<?php
// Check if button name "Submit" is status, do this 

if($Submit){

for($i=0;$i<$count;$i++){

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item='$item[$i]', description='$description[$i]', code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";
$result1=mysql_query($sql1);
}
}

if($result1){
echo "<p>Records Updated</p>";
echo('<meta http-equiv="refresh" content="0">'); 
}
mysql_close();
?>

 

Thankyou in advance

[Bricktop]

Hi busnut,

 

When entering data into a database you use addslashes().

 

To use this function on your query, change the relevant code to read:

 

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".addslashes($item[$i]).", description=".addslashes($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";

 

You could also use the mysql_real_escape_string() function to achieve the same result:

 

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".mysql_real_escape_string($item[$i]).", description=".mysql_real_escape_string($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";

 

If your form allows the user to enter data, it would be a good idea to use mysql_real_escape_string() on all of the variables in your MySQL query.  Have a look at Daniel's excellent PHP security tutorial for more information on this.

 

If I have misunderstood your request, and you do wish to use stripslashes() on the outputted data, change the relevant code to read:

 

<? echo stripslashes($rows['item']); ?>

 

and

 

<? echo stripslashes($rows['description']); ?>

 

However, the point I made above regarding mysql_real_escape_string() and PHP security is still valid.

 

Hope this helps.

[busnut]

G'day Bricktop, thanks for the response, but tried both ways, and neither would let me add either the quotation marks (")

I had abit of a read of site you recommended, tried a couple of other variances, one that stuff it all up again on me by changing the SQL updating line from " to ' and then all the records in the item field had .addslashes(

 

At the moment, i've changed all the words like 8" x 8" with 8in x 8in - ideally would prefer to have the quotation marks rather than the letters in

[Bricktop]

Hi busnut,

 

Try escaping the variables thus:

 

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item='".addslashes($item[$i])."', description='".addslashes($description[$i])."', code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";
[code]

Hope this helps.

[busnut]

When I typed in 8" x 8" Mahogany Frame, the result one 'submitted' was 8\

Better than before where it just didn't update or showed just 8 or edited every other field on me

[Bricktop]

Hi busnut,

 

Is it storing 8\ in the database?  Or is 8\ the result of the echo statement?

[busnut]

Ok, this is weird

In the database, it stores 8\" x 8\" Mahogany Frame

on the updating page, it shows 8\

 

[Bricktop]

Hi basnut,

 

Does your server have magicquotes enabled?

 

If so, turn it off and try again.

 

 

[rvdb86]

Hi busnut,

 

I frequently use the following function when i enter information into a database:

function safehtml($s)
{
    $s=str_replace("&", "&", $s);
    $s=str_replace("<", "<", $s);
    $s=str_replace(">", ">", $s);
    $s=str_replace("'", "'", $s);
    $s=str_replace("\"", """, $s);
    return $s;
}

 

This will replace the " with its ascii equivalent so it will store nicely in the db

 

when you retrieve the information from the db you can undo the process with this function:

function unsafehtml($s)
{
    $s=str_replace("&", "&", $s);
    $s=str_replace("<", "<", $s);
    $s=str_replace(">", ">", $s);
    $s=str_replace("'", "'", $s);
    $s=str_replace(""", "\"", $s);
    return $s;
}

 

Hope this helps

[busnut]

Thanks for the 2 responses guys. The last one makes sense, although way too tired to work out where it should be at this point in time.

 

As for magicquotes, never heard of it. Where would i find that?

[rvdb86]

its quite simple actually, put the function or at the top of the page, or in an external file and include it into the page, and then all you have to do is change your sql querys to  applly the function to the variables you are inserting into the db.

 

heres an example:

 

$sql1="UPDATE $tbl_name SET status='safehtml($status[$i])',... WHERE id='$id[$i]'";
$result1=mysql_query($sql1);

 

[busnut]

Okay thanks, i'll have a look at that abit later on (once sleep has been had).

 

I think for the time being, i just might not be able to use quotes to indicate inches

 

But thankyou, your help has been appreciated

[KevinM1]

Hi busnut,

 

When entering data into a database you use addslashes().

 

To use this function on your query, change the relevant code to read:

 

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".addslashes($item[$i]).", description=".addslashes($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";

 

You could also use the mysql_real_escape_string() function to achieve the same result:

 

$sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".mysql_real_escape_string($item[$i]).", description=".mysql_real_escape_string($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'";

 

If your form allows the user to enter data, it would be a good idea to use mysql_real_escape_string() on all of the variables in your MySQL query.  Have a look at Daniel's excellent PHP security tutorial for more information on this.

 

If I have misunderstood your request, and you do wish to use stripslashes() on the outputted data, change the relevant code to read:

 

<? echo stripslashes($rows['item']); ?>

 

and

 

<? echo stripslashes($rows['description']); ?>

 

However, the point I made above regarding mysql_real_escape_string() and PHP security is still valid.

 

Hope this helps.

 

Actually, addslashes() isn't as effective as a dedicated escape function like mysql_real_escape_string() (see: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string).  When in doubt, it's always best to use the database-specific escape function.

[busnut]

Morning. Ok in most parts of where the output of the item & description fields, they display like they should now, except only on the editing screen that is the input box, and if i just put for example:

$rows['item'] it will show 8\

if I put stripslashes($rows['item'] it will show just 8

if I put mysql_real_escape_string($rows['item'] it will show 8\\\

Somewhere it seems to not wanting to show 8" x 8" Mahogany Frame

 

[keldorn]

if I put mysql_real_escape_string($rows['item'] it will show 8\\\

 

I think its getting triple slashed that means you have magic quotes, You check if this on with this quick check.

 

<?php
phpinfo();
?>

 

 

If you have can't turn it off you have to incoporate this into your code for compatablity.

$magic_quotes = false;
if(function_exists('get_magic_quotes_gpc')){

         $magic_quotes = true;

}

 

 

Then put your $_POST or $_GET data threw this first,

 

if($magic_quotes){

    $_POST['example']  = stripslashes($_POST['example']);

}

[busnut]

I found a quick way to fix this, might not be the most logical way, but so far it works. I've changed it from an <input> to a <textarea>.

Why it works that way and not as an input, I have no idea

 

I haven't investigated your suggestion yet Keldorn, probably something i'll look at later tonight.

But so far thanks to everyone who has contributed, most appreciated. If somebody could explain in dummy terms to me why the text area works but not the input, that'll be appreciated.