Bottyz Posted June 15, 2010 Share Posted June 15, 2010 Hi all, If a user registers on my registration page with any details that include single (') or double (") quotes, it makes the db sql query error. I thought i'd had this one mastered but obviously not. Is it just a case of adding the addslashes() function somewhere in the script? Can anybody help me position it correctly, or spot where it has gone wrong with my current script? //get data function previous_request_value($str) { if (isset($_REQUEST[$str]) ) return $_REQUEST[$str]; else return ''; } //strip slashes function cndstrips($str) { if (get_magic_quotes_gpc()) return stripslashes($str); else return $str; } //check that the value returned from checkbox is numerical function chkbox_num($num) { if (is_numeric($num)) return $num; else return ''; } //validate user inputs $user_name=cndstrips(trim(previous_request_value('user_name'))); $user_companyname=cndstrips(trim(previous_request_value('user_companyname'))); $user_1stline=cndstrips(trim(previous_request_value('user_1stline'))); $user_address2=cndstrips(trim(previous_request_value('user_address2'))); $user_town=cndstrips(trim(previous_request_value('user_town'))); $user_county=cndstrips(trim(previous_request_value('user_county'))); $user_postcode=cndstrips(trim(previous_request_value('user_postcode'))); $user_country=(trim(previous_request_value('user_country'))); $user_email=cndstrips(trim(previous_request_value('user_email'))); $user_tel=cndstrips(trim(previous_request_value('user_tel'))); All help, as always is much, much appreciated! Link to comment https://forums.phpfreaks.com/topic/204839-single-quote-killing-user-registration-page/ Share on other sites More sharing options...
trq Posted June 15, 2010 Share Posted June 15, 2010 All user inputted data should be passed through mysql_real_escape_string. You could even put it within your cndstrips function though you need to make sure you have a database connection before using it. function cndstrips($str) { if (get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } Link to comment https://forums.phpfreaks.com/topic/204839-single-quote-killing-user-registration-page/#findComment-1072331 Share on other sites More sharing options...
Bottyz Posted June 15, 2010 Author Share Posted June 15, 2010 All user inputted data should be passed through mysql_real_escape_string. You could even put it within your cndstrips function though you need to make sure you have a database connection before using it. function cndstrips($str) { if (get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } Perfect thanks I knew i was missing a trcik somewhere. Link to comment https://forums.phpfreaks.com/topic/204839-single-quote-killing-user-registration-page/#findComment-1072334 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.