ed01 Posted January 29, 2010 Share Posted January 29, 2010 Single quotes, when entered into a text field, create an sql error upon Submit. It seems to create the query OK but says there's an SQL syntax error and stalls out on that field. Also any time a double-quote is in a text field, all characters to the right of it GET DELETED upon Submit and have to be re-entered before trying to Submit form again. The two larger textarea fields in the form seem to handle the single and double quotes perfectly. Stripslashes functions correctly and no deleting of data. Yet my code doesn't treat these two areas any differently that the text fields(!?) I have used stripslashes on all posted variables http://www.cmfsc.ca/coachingapplication_Feb10email.php Thanks for any help! Ed Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 29, 2010 Share Posted January 29, 2010 You need to escape user inputted data when inputting it to the database, use mysql_real_escape_string when inserting, and htmlentities and stripslashes (if neccessary) when displaying. The reason quotes are messing with querys - $query = "UPDATE myTable SET myField = '{$_POST['textArea']}' LIMIT 1"; So imagine one of your users posts I like PHP Freaks, it's cool! Now your query will look like this $query = "UPDATE myTable SET myField = 'I like PHP Freaks, it's cool!' LIMIT 1"; mysql_real_escape_string will escape any data that will 'mess with' your query-strings. htmlentities will escape data that will mess with your layout and help protect against cross site scripting. Quote Link to comment Share on other sites More sharing options...
ed01 Posted January 30, 2010 Author Share Posted January 30, 2010 Spent many more hours trying to apply this ... ugh. But I DO appreciate your response. Following is a bit more detail on my situ if you are willing to help further. Magic quotes ARE enabled. Stripslashes are applied to the form fields. Form works as it should except whenever a double quote is entered into a form field. In this instance, when submit is hit, and the form isn't posted (because of missing text in another field for instance) then the first field data disappears and has to be re-typed (that is IF the user notices it missing!). The two text fields work and the only difference I can think of is that the dbase field type is text instead of varchar()-but I don't want to change all my fields to 'text' nor do I feel I need to. How does one APPLY mysql_real_escape_string in my case? Here's part of my code... if ( isset ($_POST['submit'])) { $first_name = $_POST['first_name']; .... // Define the query. $query = "INSERT INTO coachingapplication_Feb10 (registrant_id, first_name, last_name, home_phone, cell_phone, email, agegroup, level, gender, Cert_CCC, Cert_CCY, Cert_CCS, Cert_BPrep, Cert_BProv, Cert_BNat, Cert_ALic, cmfscyear1, cmfscdiv1, cmfscteam1, cmfscyear2, cmfscdiv2, cmfscteam2, cmfscyear3, cmfscdiv3, cmfscteam3, cmfscyear4, cmfscdiv4, cmfscteam4, other_year1, other_club1, other_div1, other_team1, other_year2, other_club2, other_div2, other_team2, other_year3, other_club3, other_div3, other_team3, other_year4, other_club4, other_div4, other_team4, other_exp, refname1, refaddress1, refphone1, refname2, refaddress2, refphone2, refname3, refaddress3, refphone3, other_info, declaration, date_entered) VALUES (0, '$first_name', '$last_name',........... Quote Link to comment Share on other sites More sharing options...
trq Posted January 30, 2010 Share Posted January 30, 2010 How does one APPLY mysql_real_escape_string in my case? Here's part of my code... if ( isset ($_POST['submit'])) { $first_name = mysql_real_escape_string($_POST['first_name']); [ot] Just looking at your field names I would suggest you look into database normalization techniques. Your design is going to lead you to trouble in the long run [/ot] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.