double and single quotes in text fields acting up... help please

[ed01]

Single quotes, when entered into a text field, create an sql error upon Submit. It seems to create the query OK but says there's an SQL syntax error and stalls out on that field.

 

Also any time a double-quote is in a text field, all characters to the right of it GET DELETED upon Submit and have to be re-entered before trying to Submit form again.

 

The two larger textarea fields  in the form seem to handle the single and double quotes perfectly. Stripslashes functions correctly and no deleting of data. Yet my code doesn't treat these two areas any differently that the text fields(!?)

 

I have used stripslashes on all posted variables

 

http://www.cmfsc.ca/coachingapplication_Feb10email.php

 

Thanks for any help!

Ed

[Andy-H]

You need to escape user inputted data when inputting it to the database, use mysql_real_escape_string when inserting, and htmlentities and stripslashes (if neccessary) when displaying.

 

 

The reason quotes are messing with querys -

$query = "UPDATE myTable SET myField = '{$_POST['textArea']}' LIMIT 1";

 

 

So imagine one of your users posts

I like PHP Freaks, it's cool!

 

 

Now your query will look like this

$query = "UPDATE myTable SET myField = 'I like PHP Freaks, it's cool!' LIMIT 1";

 

 

mysql_real_escape_string will escape any data that will 'mess with' your query-strings.

htmlentities will escape data that will mess with your layout and help protect against cross site scripting.

[ed01]

Spent many more hours trying to apply this ... ugh. But I DO appreciate your response. Following is a bit more detail on my situ if you are willing to help further.

 

Magic quotes ARE enabled.

Stripslashes are applied to the form fields.

Form works as it should except whenever a double quote is entered into a form field. In this instance, when submit is hit, and the form isn't posted (because of missing text in another field for instance) then the first field data disappears and has to be re-typed (that is IF the user notices it missing!).

 

The two text fields work and the only difference I can think of is that the dbase field type is text instead of varchar()-but I don't want to change all my fields to 'text' nor do I feel I need to.

 

How does one APPLY mysql_real_escape_string  in my case? Here's part of my code...

 

if ( isset ($_POST['submit'])) {

$first_name        = $_POST['first_name'];

....

 

// Define the query.

$query = "INSERT INTO coachingapplication_Feb10 (registrant_id, first_name, last_name, home_phone, cell_phone, email, agegroup, level, gender, Cert_CCC, Cert_CCY, Cert_CCS, Cert_BPrep, Cert_BProv, Cert_BNat, Cert_ALic, cmfscyear1, cmfscdiv1, cmfscteam1, cmfscyear2, cmfscdiv2, cmfscteam2, cmfscyear3, cmfscdiv3, cmfscteam3, cmfscyear4, cmfscdiv4, cmfscteam4, other_year1, other_club1, other_div1, other_team1, other_year2, other_club2, other_div2, other_team2, other_year3, other_club3, other_div3, other_team3, other_year4, other_club4, other_div4, other_team4, other_exp, refname1, refaddress1, refphone1, refname2, refaddress2, refphone2, refname3, refaddress3, refphone3, other_info, declaration, date_entered) VALUES (0, '$first_name', '$last_name',...........

 

[trq]

How does one APPLY mysql_real_escape_string  in my case? Here's part of my code...

 

if ( isset ($_POST['submit'])) {
   $first_name = mysql_real_escape_string($_POST['first_name']);

 

[ot]

Just looking at your field names I would suggest you look into database normalization techniques. Your design is going to lead you to trouble in the long run

[/ot]