Jump to content

mysql_escape_string

richardsanchez@hotmail

By richardsanchez@hotmail
in PHP Coding Help

Recommended Posts

richardsanchez@hotmail Newbie

richardsanchez@hotmail

Posted
Posted

I manage a website where people can add news through an admin section. Everything but 1 thing works fine. When I or my member use the    '  sign the code on my page gives an error.

 

I use this code: <?php echo str_replace('"', '"', trim($row["content_msg"])) ?>

 

Someone told me that the problems comes because the script thinks you end a string with '

 

"mysql_escape_string" should fix it. Can someone help me with this?

Link to comment
https://forums.phpfreaks.com/topic/181494-mysql_escape_string/
Share on other sites
richardsanchez@hotmail Newbie

richardsanchez@hotmail

Posted
  • Author
Posted

Yes, your code doesn't cover all the eventualities required. It is generally better (and faster) to use the in built functions designed for the job. The 'mysql_escape_string' is deprecated now, look here for how to use mysql-real-escape-string

 

I've tried a few times but cannot find the right syntax in the help files

 

 

<?php echo str_replace('"', '"', trim($row["content_msg"])) ?>  (original code)

 

Tried this:

<?php echo str_replace('"', '"', mysql_real_escape_string($row["content_msg"])) ?>

 

But is does not work?

Link to comment
https://forums.phpfreaks.com/topic/181494-mysql_escape_string/#findComment-957422
Share on other sites
richardsanchez@hotmail Newbie

richardsanchez@hotmail

Posted
  • Author
Posted

Ok, here you got my full php code. A little over the middle you will find the section where I want to edit newsarticles (content_msg). There you will find the code I've mentioned before. Everything is in the same page (add news, edit news, delete news)

 

<?php

 

define('IN_PHPBB', true);

 

$phpbb_root_path = './'; // <--

include($phpbb_root_path . 'extension.inc');

include($phpbb_root_path . 'common.'.$phpEx);

 

$userdata = session_pagestart($user_ip, PAGE_INDEX);

init_userprefs($userdata);

 

 

session_start();

  if (isset($_GET["order"])) $order = @$_GET["order"];

  if (isset($_GET["type"])) $ordtype = @$_GET["type"];

 

  if (!isset($order) && isset($_SESSION["order"])) $order = $_SESSION["order"];

  if (!isset($ordtype) && isset($_SESSION["type"])) $ordtype = $_SESSION["type"];

 

?>

 

 

<?

 

if ($userdata["user_level"] < 1){

die();

}

 

?>

 

 

 

 

<?php

  $conn = connect();

  $showrecs = 20;

  $pagerange = 10;

 

  $a = @$_GET["a"];

  $recid = @$_GET["recid"];

  $page = @$_GET["page"];

  if (!isset($page)) $page = 1;

 

  $sql = @$_POST["sql"];

 

  switch ($sql) {

    case "insert":

      sql_insert();

      break;

    case "update":

      sql_update();

      break;

    case "delete":

      sql_delete();

      break;

  }

 

  switch ($a) {

    case "add":

      addrec();

      break;

    case "edit":

      editrec($recid);

      break;

    case "del":

      deleterec($recid);

      break;

    default:

      select();

      break;

  }

 

  if (isset($order)) $_SESSION["order"] = $order;

  if (isset($ordtype)) $_SESSION["type"] = $ordtype;

 

  mysql_close($conn);

?>

 

 

<?php function select()

  {

  global $a;

  global $showrecs;

  global $page;

  global $order;

  global $ordtype;

 

 

  if ($a == "reset") {

    $order = "";

    $ordtype = "";

  }

 

  if ($ordtype == "asc") { $ordtypestr = "desc"; } else { $ordtypestr = "asc"; }

  $res = sql_select();

  $count = sql_getrecordcount();

  if ($count % $showrecs != 0) {

    $pagecount = intval($count / $showrecs) + 1;

  }

  else {

    $pagecount = intval($count / $showrecs);

  }

  $startrec = $showrecs * ($page - 1);

  if ($startrec < $count) {mysql_data_seek($res, $startrec);}

  $reccount = min($showrecs * $page, $count);

?>

<table class="bd" border="0" cellspacing="1" cellpadding="4">

 

<tr><td>Nieuwsberichten <?php echo $startrec + 1 ?> - <?php echo $reccount ?> van de <?php echo $count ?></td></tr>

</table>

<hr size="1" noshade>

<?php showpagenav($page, $pagecount); ?>

<br>

<table class="tbl" border="0" cellspacing="1" cellpadding="5"width="100%">

<tr>

<td class="hr"> </td>

<td class="hr"> </td>

<td class="hr"><a class="hr" href="rmnl_content.php?order=<?php echo "content_id" ?>&type=<?php echo $ordtypestr ?>"><?php echo htmlspecialchars("Nummer") ?></a></td>

<td class="hr"><a class="hr" href="rmnl_content.php?order=<?php echo "lp_content_aid" ?>&type=<?php echo $ordtypestr ?>"><?php echo htmlspecialchars("Auteur") ?></a></td>

<td class="hr"><a class="hr" href="rmnl_content.php?order=<?php echo "content_title" ?>&type=<?php echo $ordtypestr ?>"><?php echo htmlspecialchars("Titel") ?></a></td>

<td class="hr"><a class="hr" href="rmnl_content.php?order=<?php echo "content_type" ?>&type=<?php echo $ordtypestr ?>"><?php echo htmlspecialchars("Definitief?") ?></a></td>

<td class="hr"><a class="hr" href="rmnl_content.php?order=<?php echo "content_spotlight" ?>&type=<?php echo $ordtypestr ?>"><?php echo htmlspecialchars("Hoofdpunt?") ?></a></td>

 

 

 

</tr>

<?php

  for ($i = $startrec; $i < $reccount; $i++)

  {

    $row = mysql_fetch_assoc($res);

    $style = "dr";

    if ($i % 2 != 0) {

      $style = "sr";

    }

?>

 

 

 

<tr>

<td class="<?php echo $style ?>"><a href="rmnl_content.php?a=edit&recid=<?php echo $i ?>">Edit</a></td>

<td class="<?php echo $style ?>"><a href="rmnl_content.php?a=del&recid=<?php echo $i ?>">Delete</a></td>

<td class="<?php echo $style ?>"><?php echo htmlspecialchars($row["content_id"]) ?><? "ORDER BY 'content_id' DESC LIMIT 0 , 1"?></td>

<td class="<?php echo $style ?>"><?php echo htmlspecialchars($row["lp_content_aid"]) ?></td>

<td class="<?php echo $style ?>"><?php echo htmlspecialchars($row["content_title"]) ?></td>

<td class="<?php echo $style ?>"><?php echo htmlspecialchars($row["content_type"]) ?></td>

<td class="<?php echo $style ?>"><?php echo htmlspecialchars($row["content_spotlight"]) ?></td>

 

 

</tr>

<?php

  }

  mysql_free_result($res);

?>

</table>

<br>

<?php showpagenav($page, $pagecount); ?>

<?php } ?>

 

<?php function login_delete($recid)

{

  global $_POST;

  global $_SESSION;

  if (!isset($_SESSION["logged_delete"])) $_SESSION["logged_delete"] = false;

  if (!$_SESSION["logged_delete"]) {

    $login = "";

    $password = "";

    if (isset($_POST["login_delete"])) $login = @$_POST["login_delete"];

    if (isset($_POST["password_delete"])) $password = @$_POST["password_delete"];

 

    if (($login != "") && ($password != "")) {

      if (($login == "richard") && ($password == "password")) {

        $_SESSION["logged_delete"] = true;

    }

    else {

?>

<p><b><font color="-1">Sorry, de login/wachtwoord combinatie is niet geldig</font></b></p>

<?php } } }if (isset($_SESSION["logged_delete"]) && (!$_SESSION["logged_delete"])) { ?>

<form action="rmnl_content.php?a=del&recid=<?php echo $recid ?>" method="post">

<table class="bd" border="0" cellspacing="1" cellpadding="4">

<tr>

<td>Login</td>

<td><input type="text" name="login_delete" value="<?php echo $login ?>"></td>

</tr>

<tr>

<td>Wachtwoord</td>

<td><input type="password" name="password_delete" value="<?php echo $password ?>"></td>

</tr>

<tr>

<td><input type="submit" name="action" value="Login"></td>

</tr>

</table>

</form>

<?php

  }

  if (!isset($_SESSION["logged_delete"])) $_SESSION["logged_delete"] = false;

  return $_SESSION["logged_delete"];

} ?>

 

<?php function showrow($row, $recid)

  {

?>

<table class="tbl" border="0" cellspacing="1" cellpadding="5"width="50%">

<tr>

<td class="hr"><?php echo htmlspecialchars("Nummer")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_id"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Auteur")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["lp_content_aid"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Soort")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_type"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Titel")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_title"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Bericht")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_msg"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Hoofdpunt")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_spotlight"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Bron")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_source"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Bron link")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_source_url"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Foto")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_img"]) ?></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Tekst plaatje")." " ?></td>

<td class="dr"><?php echo htmlspecialchars($row["content_img_description"]) ?></td>

</tr>

</table>

<?php } ?>

 

<?php function showroweditor($row, $iseditmode)

  {

  global $conn;

?>

<table><tr><td>

<table class="tbl" border="0" cellspacing="1" cellpadding="5"width="50%">

<tr>

<td class="hr"><?php echo htmlspecialchars("Auteur")." " ?></td>

<td class="dr"><select name="content_aid">

<?php

  $sql = "select `crew_id`, `crew_name` from `rmnl_crew`";

  $res = mysql_query($sql, $conn) or die(mysql_error());

 

  while ($lp_row = mysql_fetch_assoc($res)){

  $val = $lp_row["crew_id"];

  $caption = $lp_row["crew_name"];

  if ($row["content_aid"] == $val) {$selstr = " selected"; } else {$selstr = ""; }

?><option value="<?php echo $val ?>"<?php echo $selstr ?>><?php echo $caption ?></option>

<?php } ?></select>

</td >

</tr>

 

 

 

 

 

<tr>

<td class="hr"><?php echo htmlspecialchars("Hoofdpunt?")." " ?></td>

<td class="dr"><select name="content_spotlight">

<?php

  $lookupvalues = array("0","1");

 

  reset($lookupvalues);

  foreach($lookupvalues as $val){

  $caption = $val;

  if ($row["content_spotlight"] == $val) {$selstr = " selected"; } else {$selstr = ""; }

?><option value="<?php echo $val ?>"<?php echo $selstr ?>><?php echo $caption ?></option>

<?php } ?></select>  0=nee, 1=ja

</td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Definitief?")." " ?></td>

<td class="dr"><select name="content_type">

<?php

  $lookupvalues = array("1","0");

 

  reset($lookupvalues);

  foreach($lookupvalues as $val){

  $caption = $val;

  if ($row["content_type"] == $val) {$selstr = " selected"; } else {$selstr = ""; }

?><option value="<?php echo $val ?>"<?php echo $selstr ?>><?php echo $caption ?></option>

<?php } ?></select>  0=nee, 1=ja

</td>

</tr>

<tr>

<td class="hr">

 

<?php echo htmlspecialchars("Titel")." " ?></td>

<td class="dr"><input type="text" size="53" name="content_title" maxlength="255" value ="<?php echo str_replace('"', '"', trim($row["content_title"])) ?>"></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Bron")." " ?></td>

<td class="dr"><input type="text" size="53" name="content_source" maxlength="255" value ="<?php echo str_replace('"', '"', trim($row["content_source"])) ?>"></td>

</tr>

<tr>

<td class="hr"><?php echo htmlspecialchars("Bron link")." " ?></td>

<td class="dr"><input type="text" size="53" name="content_source_url" maxlength="255" value ="<?php echo str_replace('"', '"', trim($row["content_source_url"])) ?>"></td>

</tr>

<tr>

 

<td class="hr"><?php echo htmlspecialchars("Foto")." " ?></td>

<td class="dr"><select name="content_img" id="content_img">

 

 

<option value="">

<?php

$dirPath = dir('media/images/content');

$imgArray = array();

while (($file = $dirPath->read()) !== false)

{

  if ((substr($file, -3)=="gif") || (substr($file, -3)=="jpg") || (substr($file, -3)=="png"))

  {

    $imgArray[ ] = trim($file);

  }

}

$dirPath->close();

sort($imgArray);

$c = count($imgArray);

$image = trim($row["content_img"]);

for($i=0; $i<$c; $i++) {

    $selected = (isset($image) && $image == $imgArray[$i]) ? "selected" : "";

    echo "<option value='{$imgArray[$i]}' $selected>{$imgArray[$i]}</option>\n";

}

 

 

 

 

?></option>

</select>

 

 

 

</td>

 

</tr>

 

<tr>

<td class="hr"><?php echo htmlspecialchars("Tekst plaatje")." " ?></td>

<td class="dr"><input type="text" size="53" name="content_img_description" maxlength="255" value="<?php echo str_replace('"', '"', trim($row["content_img_description"])) ?>"></td>

</tr>

<tr><td><input type="hidden" name="content_date" value="<?php print(date("d-m-Y")); ?>" ></td>

</tr>

 

 

</table> </td>

<td><table>

 

<tr>

<td class="hr"><?php echo htmlspecialchars("Bericht")." " ?></td>

<td class="dr"><textarea cols="80" rows="20" name="content_msg" maxlength="255"><?php echo str_replace('"', '"', trim($row["content_msg"])) ?></textarea></td>

</tr>

 

 

 

 

 

</table> </td></tr></table>

<?php } ?>

 

<?php function showpagenav($page, $pagecount)

{

?>

<table class="bd" border="0" cellspacing="1" cellpadding="4">

<tr>

<td><a href="rmnl_content.php?a=add">Artikel toevoegen</a> </td>

<?php if ($page > 1) { ?>

<td><a href="rmnl_content.php?page=<?php echo $page - 1 ?>"><< Vorige</a> </td>

<?php } ?>

<?php

  global $pagerange;

 

  if ($pagecount > 1) {

 

  if ($pagecount % $pagerange != 0) {

    $rangecount = intval($pagecount / $pagerange) + 1;

  }

  else {

    $rangecount = intval($pagecount / $pagerange);

  }

  for ($i = 1; $i < $rangecount + 1; $i++) {

    $startpage = (($i - 1) * $pagerange) + 1;

    $count = min($i * $pagerange, $pagecount);

 

    if ((($page >= $startpage) && ($page <= ($i * $pagerange)))) {

      for ($j = $startpage; $j < $count + 1; $j++) {

        if ($j == $page) {

?>

<td><b><?php echo $j ?></b></td>

<?php } else { ?>

<td><a href="rmnl_content.php?page=<?php echo $j ?>"><?php echo $j ?></a></td>

<?php } } } else { ?>

<td><a href="rmnl_content.php?page=<?php echo $startpage ?>"><?php echo $startpage ."..." .$count ?></a></td>

<?php } } } ?>

<?php if ($page < $pagecount) { ?>

<td> <a href="rmnl_content.php?page=<?php echo $page + 1 ?>">Volgende >></a> </td>

<?php } ?>

</tr>

</table>

<?php } ?>

 

<?php function showrecnav($a, $recid, $count)

{

?>

<table class="bd" border="0" cellspacing="1" cellpadding="4">

<tr>

<td><a href="rmnl_content.php">Artikel overzicht</a></td>

<?php if ($recid > 0) { ?>

<td><a href="rmnl_content.php?a=<?php echo $a ?>&recid=<?php echo $recid - 1 ?>">Vorig bericht</a></td>

<?php } if ($recid < $count - 1) { ?>

<td><a href="rmnl_content.php?a=<?php echo $a ?>&recid=<?php echo $recid + 1 ?>">Volgend bericht</a></td>

<?php } ?>

</tr>

</table>

<hr size="1" noshade>

<?php } ?>

 

<?php function addrec()

{

?>

<table class="bd" border="0" cellspacing="1" cellpadding="4">

<tr>

<td><a href="rmnl_content.php">Hoofdpagina</a></td>

</tr>

</table>

<hr size="1" noshade>

<form enctype="multipart/form-data" action="rmnl_content.php" method="post">

<p><input type="hidden" name="sql" value="insert"></p>

 

 

<?php

$row = array(

  "content_id" => "",

  "content_objid" => "",

  "content_objtype" => "",

  "content_aid" => "",

  "content_type" => "",

  "content_date" =>"",

  "content_time" => "",

  "content_title" => "",

  "content_msg" => "",

  "content_spotlight" => "",

  "content_source" => "",

  "content_source_url" => "",

  "content_img" => "",

  "content_comments_disabled" => "",

  "content_img_description" => "");

showroweditor($row, false);

?>

<p><input type="submit" name="action" value="Post"></p>

</form>

 

 

<?php } ?>

<?php function editrec($recid)

{

  $res = sql_select();

  $count = sql_getrecordcount();

  mysql_data_seek($res, $recid);

  $row = mysql_fetch_assoc($res);

  showrecnav("edit", $recid, $count);

?>

<br>

<form enctype="multipart/form-data" action="rmnl_content.php" method="post">

<input type="hidden" name="sql" value="update">

<input type="hidden" name="xcontent_id" value="<?php echo $row["content_id"] ?>">

 

 

<?php showroweditor($row, true); ?>

<p><input type="submit" name="action" value="Post"></p>

</form>

<?php

  mysql_free_result($res);

} ?>

 

<?php function deleterec($recid)

{

  if (!login_delete($recid)) exit;

  $res = sql_select();

  $count = sql_getrecordcount();

  mysql_data_seek($res, $recid);

  $row = mysql_fetch_assoc($res);

  showrecnav("del", $recid, $count);

?>

<br>

<form action="rmnl_content.php" method="post">

<input type="hidden" name="sql" value="delete">

<input type="hidden" name="xcontent_id" value="<?php echo $row["content_id"] ?>">

<?php showrow($row, $recid) ?>

<p><input type="submit" name="action" value="Bevestigen"></p>

</form>

<?php

  mysql_free_result($res);

} ?>

 

 

 

 

<?php function connect()

{

  $conn = mysql_connect("net3-nl-mysql-12.vevida.net", "username", "password");

  mysql_select_db("database2");

  return $conn;

}

 

function sqlvalue($val, $quote)

{

  if ($quote)

    $tmp = sqlstr($val);

  else

    $tmp = $val;

  if ($tmp == "")

    $tmp = "NULL";

  elseif ($quote)

    $tmp = "'".$tmp."'";

  return $tmp;

}

 

function sqlstr($val)

{

  return str_replace("'", "''", $val);

}

 

function sql_select()

{

  global $conn;

  global $order;

  global $ordtype;

  $sql = "SELECT * FROM (SELECT t1.`content_id`, t1.`content_objid`, t1.`content_objtype`, t1.`content_aid`, lp3.`crew_name` AS `lp_content_aid`, t1.`content_type`, t1.`content_date`, t1.`content_time`, t1.`content_title`, t1.`content_msg`, t1.`content_spotlight`, t1.`content_source`, t1.`content_source_url`, t1.`content_img`, t1.`content_comments_disabled`, t1.`content_img_description` FROM `rmnl_content` AS t1 LEFT OUTER JOIN `rmnl_crew` AS lp3 ON (t1.`content_aid` = lp3.`crew_id`)) subq";

  if (isset($order) && $order!='') $sql .= " order by `" .sqlstr($order) ."`";

  if (isset($ordtype) && $ordtype!='') $sql .= " " .sqlstr($ordtype);

  $res = mysql_query($sql, $conn) or die(mysql_error());

  return $res;

}

 

function sql_getrecordcount()

{

  global $conn;

  global $order;

  global $ordtype;

  $sql = "SELECT COUNT(*) FROM (SELECT t1.`content_id`, t1.`content_objid`, t1.`content_objtype`, t1.`content_aid`, lp3.`crew_name` AS `lp_content_aid`, t1.`content_type`, t1.`content_date`, t1.`content_time`, t1.`content_title`, t1.`content_msg`, t1.`content_spotlight`, t1.`content_source`, t1.`content_source_url`, t1.`content_img`, t1.`content_comments_disabled`, t1.`content_img_description` FROM `rmnl_content` AS t1 LEFT OUTER JOIN `rmnl_crew` AS lp3 ON (t1.`content_aid` = lp3.`crew_id`)) subq";

  $res = mysql_query($sql, $conn) or die(mysql_error());

  $row = mysql_fetch_assoc($res);

  reset($row);

  return current($row);

}

 

function sql_insert()

{

  global $conn;

  global $_POST;

 

  $sql = "insert into `rmnl_content` (`content_aid`, `content_type`, `content_title`, `content_msg`, `content_spotlight`, `content_source`, `content_source_url`, `content_img`, `content_img_description`, `content_date`) values (" .sqlvalue(@$_POST["content_aid"], true).", " .sqlvalue(@$_POST["content_type"], false).", " .sqlvalue(@$_POST["content_title"], true).", " .sqlvalue(@$_POST["content_msg"], true).", " .sqlvalue(@$_POST["content_spotlight"], false).", " .sqlvalue(@$_POST["content_source"], true).", " .sqlvalue(@$_POST["content_source_url"], true).", " .sqlvalue(@$_POST["content_img"], true).", " .sqlvalue(@$_POST["content_img_description"], true).", " .sqlvalue(@$_POST["content_date"], true).")";

  mysql_query($sql, $conn) or die(mysql_error());

}

 

function sql_update()

{

  global $conn;

  global $_POST;

 

  $sql = "update `rmnl_content` set `content_aid`=" .sqlvalue(@$_POST["content_aid"], true).", `content_type`=" .sqlvalue(@$_POST["content_type"], false).", `content_title`=" .sqlvalue(@$_POST["content_title"], true).", `content_msg`=" .sqlvalue(@$_POST["content_msg"], true).", `content_spotlight`=" .sqlvalue(@$_POST["content_spotlight"], false).", `content_source`=" .sqlvalue(@$_POST["content_source"], true).", `content_source_url`=" .sqlvalue(@$_POST["content_source_url"], true).", `content_img`=" .sqlvalue(@$_POST["content_img"], true).", `content_img_description`=" .sqlvalue(@$_POST["content_img_description"], true) ." where " .primarykeycondition();

  mysql_query($sql, $conn) or die(mysql_error());

}

 

function sql_delete()

{

  global $conn;

 

  $sql = "delete from `rmnl_content` where " .primarykeycondition();

  mysql_query($sql, $conn) or die(mysql_error());

}

function primarykeycondition()

{

  global $_POST;

  $pk = "";

  $pk .= "(`content_id`";

  if (@$_POST["xcontent_id"] == "") {

    $pk .= " IS NULL";

  }else{

  $pk .= " = " .sqlvalue(@$_POST["xcontent_id"], false);

  };

  $pk .= ")";

  return $pk;

}

?>

 

Link to comment
https://forums.phpfreaks.com/topic/181494-mysql_escape_string/#findComment-957938
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.