busnut Posted November 9, 2009 Share Posted November 9, 2009 G'day Guys/Gals, firstly if i've posted this in the wrong section, I apologise. I've got a script that i've downloaded of the net to edit multiple fields from my sql database, and works fine EXCEPT I want to add the strip slashes bit to it so it will save what I type in. However, I tried, and totally cleared 2 fields for all records on my db, so not happy. So here is the script, can anyone help me put the stripslashes bit where it should be please... The stripslashes are important for 'item' and 'description' fields. <?php "db connection area" $sql="SELECT * FROM $tbl_name ORDER BY category ASC"; $result=mysql_query($sql); // Count table rows $count=mysql_num_rows($result); ?> <!-- <FORM method="post" action="<?php echo $PHP_SELF?>"> --> <p> <table border='1' cellspacing='0' width='100%' style='border-collapse: collapse' bordercolor='#000000'> <form name="form1" method="post" action=""> <tr> <th>Category/Subcategory</th> <th>Product/Code</th> <th>Description</th> <th>Qty/Price 1</th> <th>Qty/Price 2 </th> <th>Qty/Price 3 </th> <th>Qty/Price 4 </th> <th>Qty/Price 5 </th> <th>Weight/Status</th> </tr> <?php while($rows=mysql_fetch_array($result)){ ?> <tr> <? $id[]=$rows['id']; ?> <td><input name="category[]" type="text" id="category" value="<? echo $rows['category']; ?>" size="30"><br /> <input name="subcategory[]" type="text" id="subcategory" value="<? echo $rows['subcategory']; ?>" size="30" /></td> <td><input name="item[]" type="text" id="item" value="<? echo $rows['item']; ?>" size="30"><br /> <input name="code[]" type="text" id="code" value="<? echo $rows['code']; ?>" size="30" /></td> <td><textarea name="description[]" cols="40" rows="3" id="description" type="text"><? echo $rows['description']; ?></textarea></td> <td><input name="qty1[]" type="text" id="qty1" value="<? echo $rows['qty1']; ?>" size="5"><br /> <input name="price1[]" type="text" id="price1" value="<? echo $rows['price1']; ?>" size="5" /></td> <td><input name="qty2[]" type="text" id="qty2" value="<? echo $rows['qty2']; ?>" size="5"><br /> <input name="price2[]" type="text" id="price2" value="<? echo $rows['price2']; ?>" size="5" /></td> <td><input name="qty3[]" type="text" id="qty3" value="<? echo $rows['qty3']; ?>" size="5"><br /> <input name="price3[]" type="text" id="price3" value="<? echo $rows['price3']; ?>" size="5" /></td> <td><input name="qty4[]" type="text" id="qty4" value="<? echo $rows['qty4']; ?>" size="5"><br /> <input name="price4[]" type="text" id="price4" value="<? echo $rows['price4']; ?>" size="5" /></td> <td><input name="qty5[]" type="text" id="qty5" value="<? echo $rows['qty5']; ?>" size="5"><br /> <input name="price5[]" type="text" id="price5" value="<? echo $rows['price5']; ?>" size="5" /></td> <td><input name="weight[]" type="text" id="weight" value="<? echo $rows['weight']; ?>" size="5"><br /> <input name="status[]" type="text" id="status" value="<? echo $rows['status']; ?>" size="5" /></td> </tr> <?php } ?> </table> <input type="submit" name="Submit" value="Submit" class="button1"> </form> <?php // Check if button name "Submit" is status, do this if($Submit){ for($i=0;$i<$count;$i++){ $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item='$item[$i]', description='$description[$i]', code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; $result1=mysql_query($sql1); } } if($result1){ echo "<p>Records Updated</p>"; echo('<meta http-equiv="refresh" content="0">'); } mysql_close(); ?> Thankyou in advance Quote Link to comment Share on other sites More sharing options...
Bricktop Posted November 9, 2009 Share Posted November 9, 2009 Hi busnut, When entering data into a database you use addslashes(). To use this function on your query, change the relevant code to read: $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".addslashes($item[$i]).", description=".addslashes($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; You could also use the mysql_real_escape_string() function to achieve the same result: $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".mysql_real_escape_string($item[$i]).", description=".mysql_real_escape_string($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; If your form allows the user to enter data, it would be a good idea to use mysql_real_escape_string() on all of the variables in your MySQL query. Have a look at Daniel's excellent PHP security tutorial for more information on this. If I have misunderstood your request, and you do wish to use stripslashes() on the outputted data, change the relevant code to read: <? echo stripslashes($rows['item']); ?> and <? echo stripslashes($rows['description']); ?> However, the point I made above regarding mysql_real_escape_string() and PHP security is still valid. Hope this helps. Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 G'day Bricktop, thanks for the response, but tried both ways, and neither would let me add either the quotation marks (") I had abit of a read of site you recommended, tried a couple of other variances, one that stuff it all up again on me by changing the SQL updating line from " to ' and then all the records in the item field had .addslashes( At the moment, i've changed all the words like 8" x 8" with 8in x 8in - ideally would prefer to have the quotation marks rather than the letters in Quote Link to comment Share on other sites More sharing options...
Bricktop Posted November 9, 2009 Share Posted November 9, 2009 Hi busnut, Try escaping the variables thus: $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item='".addslashes($item[$i])."', description='".addslashes($description[$i])."', code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; [code] Hope this helps. Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 When I typed in 8" x 8" Mahogany Frame, the result one 'submitted' was 8\ Better than before where it just didn't update or showed just 8 or edited every other field on me Quote Link to comment Share on other sites More sharing options...
Bricktop Posted November 9, 2009 Share Posted November 9, 2009 Hi busnut, Is it storing 8\ in the database? Or is 8\ the result of the echo statement? Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 Ok, this is weird In the database, it stores 8\" x 8\" Mahogany Frame on the updating page, it shows 8\ Quote Link to comment Share on other sites More sharing options...
Bricktop Posted November 9, 2009 Share Posted November 9, 2009 Hi basnut, Does your server have magicquotes enabled? If so, turn it off and try again. Quote Link to comment Share on other sites More sharing options...
rvdb86 Posted November 9, 2009 Share Posted November 9, 2009 Hi busnut, I frequently use the following function when i enter information into a database: function safehtml($s) { $s=str_replace("&", "&", $s); $s=str_replace("<", "<", $s); $s=str_replace(">", ">", $s); $s=str_replace("'", "'", $s); $s=str_replace("\"", """, $s); return $s; } This will replace the " with its ascii equivalent so it will store nicely in the db when you retrieve the information from the db you can undo the process with this function: function unsafehtml($s) { $s=str_replace("&", "&", $s); $s=str_replace("<", "<", $s); $s=str_replace(">", ">", $s); $s=str_replace("'", "'", $s); $s=str_replace(""", "\"", $s); return $s; } Hope this helps Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 Thanks for the 2 responses guys. The last one makes sense, although way too tired to work out where it should be at this point in time. As for magicquotes, never heard of it. Where would i find that? Quote Link to comment Share on other sites More sharing options...
rvdb86 Posted November 9, 2009 Share Posted November 9, 2009 its quite simple actually, put the function or at the top of the page, or in an external file and include it into the page, and then all you have to do is change your sql querys to applly the function to the variables you are inserting into the db. heres an example: $sql1="UPDATE $tbl_name SET status='safehtml($status[$i])',... WHERE id='$id[$i]'"; $result1=mysql_query($sql1); Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 Okay thanks, i'll have a look at that abit later on (once sleep has been had). I think for the time being, i just might not be able to use quotes to indicate inches But thankyou, your help has been appreciated Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted November 9, 2009 Share Posted November 9, 2009 Hi busnut, When entering data into a database you use addslashes(). To use this function on your query, change the relevant code to read: $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".addslashes($item[$i]).", description=".addslashes($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; You could also use the mysql_real_escape_string() function to achieve the same result: $sql1="UPDATE $tbl_name SET status='$status[$i]', category='$category[$i]', subcategory='$subcategory[$i]', item=".mysql_real_escape_string($item[$i]).", description=".mysql_real_escape_string($description[$i]).", code='$code[$i]', qty1='$qty1[$i]', price1='$price1[$i]', qty2='$qty2[$i]', price2='$price2[$i]', qty3='$qty3[$i]', price3='$price3[$i]', qty4='$qty4[$i]', price4='$price4[$i]', qty5='$qty5[$i]', price5='$price5[$i]', weight='$weight[$i]' WHERE id='$id[$i]'"; If your form allows the user to enter data, it would be a good idea to use mysql_real_escape_string() on all of the variables in your MySQL query. Have a look at Daniel's excellent PHP security tutorial for more information on this. If I have misunderstood your request, and you do wish to use stripslashes() on the outputted data, change the relevant code to read: <? echo stripslashes($rows['item']); ?> and <? echo stripslashes($rows['description']); ?> However, the point I made above regarding mysql_real_escape_string() and PHP security is still valid. Hope this helps. Actually, addslashes() isn't as effective as a dedicated escape function like mysql_real_escape_string() (see: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string). When in doubt, it's always best to use the database-specific escape function. Quote Link to comment Share on other sites More sharing options...
busnut Posted November 9, 2009 Author Share Posted November 9, 2009 Morning. Ok in most parts of where the output of the item & description fields, they display like they should now, except only on the editing screen that is the input box, and if i just put for example: $rows['item'] it will show 8\ if I put stripslashes($rows['item'] it will show just 8 if I put mysql_real_escape_string($rows['item'] it will show 8\\\ Somewhere it seems to not wanting to show 8" x 8" Mahogany Frame Quote Link to comment Share on other sites More sharing options...
keldorn Posted November 9, 2009 Share Posted November 9, 2009 if I put mysql_real_escape_string($rows['item'] it will show 8\\\ I think its getting triple slashed that means you have magic quotes, You check if this on with this quick check. <?php phpinfo(); ?> If you have can't turn it off you have to incoporate this into your code for compatablity. $magic_quotes = false; if(function_exists('get_magic_quotes_gpc')){ $magic_quotes = true; } Then put your $_POST or $_GET data threw this first, if($magic_quotes){ $_POST['example'] = stripslashes($_POST['example']); } Quote Link to comment Share on other sites More sharing options...
busnut Posted November 10, 2009 Author Share Posted November 10, 2009 I found a quick way to fix this, might not be the most logical way, but so far it works. I've changed it from an <input> to a <textarea>. Why it works that way and not as an input, I have no idea I haven't investigated your suggestion yet Keldorn, probably something i'll look at later tonight. But so far thanks to everyone who has contributed, most appreciated. If somebody could explain in dummy terms to me why the text area works but not the input, that'll be appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.