Problems with mysql_real_escape_string

[lynxus]

Hi Guys,

Im having issues with mysql_real_escape_string

 

For instance, I understand that it only escapes chars, However they just are not entering the DB..

 

For example.

 

$message = "How much is P&P to the UK?";

$message = mysql_real_escape_string($message);

 

 

However when i insert it into a mysql DB, it only inserts "How much is P"

 

Any ideas how i can get this to work.

I want to have these %^&*%$£"!"@ chars in the DB however i want to avoid injections the best way possible.

 

Any help would be grateful.

Thanks

G

[squiblo]

could you post your code?

inserting into the database like that should be fine and no need to worry about sql injection

[lynxus]

Heres the entire code:

 

$username=$_SERVER['REMOTE_ADDR']; 
$message = $_GET['message'];
$siteid = $_GET['siteid'];
$owner = $_GET['username'];

// If the user hasnt entered anything just die silently, Stops them from filling screen with empty lines.
if ($message == "") {
die;
}

$error = "0";


$con = mysql_connect("localhost","UNAME","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("DB", $con);

$siteid = mysql_real_escape_string($siteid);
$username = mysql_real_escape_string($username);
$owner = mysql_real_escape_string($owner);
$message = mysql_real_escape_string($message);


mysql_query("INSERT INTO data (username, message, owner, siteid, dispname)
VALUES ('$username', '$message', '$owner', '$siteid', '$owner')");


mysql_close($con);

[squiblo]

if your message contains "&"  it will not work properly, it is like the start of another GET

[lynxus]

Ahhh shit yeah.

I suppose i need to encode it in JS somehow.. Or post it..

 

I didnt think of that..

 

Thanks

G

[squiblo]

I recommend using "htmlentities()" before posting the data

[squiblo]

I recommend using "htmlentities()" before posting the data

 

No sorry bad idea

[lynxus]

I take it, If i use htmlentitys is this a js function too?

 

Ie:

JS replace/htmlentitys encode the string..

 

PHP can then decode the scriing.. and pass to the DB?

 

Thanks

G

[wildteen88]

You should use urlencode instead of htmlentities. You'd then use urldecode when grabbing the data from the url.

 

However how are you using a form? If you are you'll be better off setting the forms submit method to post (<form action="" method="post">) rather than get.

[lynxus]

Thanks for your help. I never thought about the GET issue.

 

Ive resolved it by doing this in JS ( before sending data )

message = message.replace("&", "%amp");

message = message.replace("+", "%plus");

 

Then in PHP i have:

$message = str_replace("%amp", "&", $message);

$message = str_replace("%plus", "+", $message);

 

Then i escape the string.

 

 

@ Wildteen.

The form is being sent via Ajax. So im using ajax.open(get,url,true);

 

Ive "hacked it" so it works now.

 

I will eventually change the JS / Ajax to use POST