lynxus Posted July 24, 2010 Share Posted July 24, 2010 Hi Guys, Im having issues with mysql_real_escape_string For instance, I understand that it only escapes chars, However they just are not entering the DB.. For example. $message = "How much is P&P to the UK?"; $message = mysql_real_escape_string($message); However when i insert it into a mysql DB, it only inserts "How much is P" Any ideas how i can get this to work. I want to have these %^&*%$£"!"@ chars in the DB however i want to avoid injections the best way possible. Any help would be grateful. Thanks G Quote Link to comment Share on other sites More sharing options...
squiblo Posted July 24, 2010 Share Posted July 24, 2010 could you post your code? inserting into the database like that should be fine and no need to worry about sql injection Quote Link to comment Share on other sites More sharing options...
lynxus Posted July 24, 2010 Author Share Posted July 24, 2010 Heres the entire code: $username=$_SERVER['REMOTE_ADDR']; $message = $_GET['message']; $siteid = $_GET['siteid']; $owner = $_GET['username']; // If the user hasnt entered anything just die silently, Stops them from filling screen with empty lines. if ($message == "") { die; } $error = "0"; $con = mysql_connect("localhost","UNAME","PASSWORD"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("DB", $con); $siteid = mysql_real_escape_string($siteid); $username = mysql_real_escape_string($username); $owner = mysql_real_escape_string($owner); $message = mysql_real_escape_string($message); mysql_query("INSERT INTO data (username, message, owner, siteid, dispname) VALUES ('$username', '$message', '$owner', '$siteid', '$owner')"); mysql_close($con); Quote Link to comment Share on other sites More sharing options...
squiblo Posted July 24, 2010 Share Posted July 24, 2010 if your message contains "&" it will not work properly, it is like the start of another GET Quote Link to comment Share on other sites More sharing options...
lynxus Posted July 24, 2010 Author Share Posted July 24, 2010 Ahhh shit yeah. I suppose i need to encode it in JS somehow.. Or post it.. I didnt think of that.. Thanks G Quote Link to comment Share on other sites More sharing options...
squiblo Posted July 24, 2010 Share Posted July 24, 2010 I recommend using "htmlentities()" before posting the data Quote Link to comment Share on other sites More sharing options...
squiblo Posted July 24, 2010 Share Posted July 24, 2010 I recommend using "htmlentities()" before posting the data No sorry bad idea Quote Link to comment Share on other sites More sharing options...
lynxus Posted July 24, 2010 Author Share Posted July 24, 2010 I take it, If i use htmlentitys is this a js function too? Ie: JS replace/htmlentitys encode the string.. PHP can then decode the scriing.. and pass to the DB? Thanks G Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted July 24, 2010 Share Posted July 24, 2010 You should use urlencode instead of htmlentities. You'd then use urldecode when grabbing the data from the url. However how are you using a form? If you are you'll be better off setting the forms submit method to post (<form action="" method="post">) rather than get. Quote Link to comment Share on other sites More sharing options...
lynxus Posted July 24, 2010 Author Share Posted July 24, 2010 Thanks for your help. I never thought about the GET issue. Ive resolved it by doing this in JS ( before sending data ) message = message.replace("&", "%amp"); message = message.replace("+", "%plus"); Then in PHP i have: $message = str_replace("%amp", "&", $message); $message = str_replace("%plus", "+", $message); Then i escape the string. @ Wildteen. The form is being sent via Ajax. So im using ajax.open(get,url,true); Ive "hacked it" so it works now. I will eventually change the JS / Ajax to use POST Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.