stripslashes problem

[emediastudios]

Hi everyone,

I have been building my first admin from scratch, and am going quite well.

But now i have a problem that i can't resolve.

 

The website is basically a library of quotes that users can submit, the admin then needs to approve and edit them before they are published on the site.

I have the admin built, and can display all the records and delete, but am having a problem with the update.

 

If the quote has a ' in the text it throws an error. If it doesn't it updates fine.

There needs to a cleaning function or something applied, and as i am still learning i am lost to how to do this,

I added the addslashes but it still throws the error.

Code below.

 

 

case 'updatequote';
$db_name = "auth";
$table_name = "quotes";
$connection = @mysql_connect("localhost", "root", "testing") or die(mysql_error());
$db = @mysql_select_db($db_name, $connection) or die(mysql_error());
foreach($_POST as $input) {
$_POST['array_key'] = addslashes($input);
} 
$sql = "UPDATE $table_name SET
artist = '$artist',song = '$song',quote = '$quote' WHERE quoteid =  ".$_REQUEST['quoteid']."";
$result = @mysql_query($sql,$connection) or die(mysql_error());

echo "Quote Edited Successfully";


break;

[darkfreaks]

should use mysql_real_escape_string() should solve your problem

[chintansshah]

I think, htmlentities() also helps to resolve this problem.

[emediastudios]

should use mysql_real_escape_string() should solve your problem

 

Thanks, i did read that on the internet, but don't know where to place it in the code, I'll keep looking,

Thanks again.

[chintansshah]

$sql = "UPDATE $table_name SETartist = '".mysql_real_escape_string($artist)."',song = '".mysql_real_escape_string($song)."',quote = '".mysql_real_escape_string($quote)."' WHERE quoteid =  ".mysql_real_escape_string($_REQUEST['quoteid'])."";

[emediastudios]

$sql = "UPDATE $table_name SETartist = '".mysql_real_escape_string($artist)."',song = '".mysql_real_escape_string($song)."',quote = '".mysql_real_escape_string($quote)."' WHERE quoteid =  ".mysql_real_escape_string($_REQUEST['quoteid'])."";

Awesome, Chintan, your the man! This works perfect.

Just one question though, because i am teaching myself php mysql, is this the right way to do it, by this i mean, can it be simplified as a function or in a different way so i don't have to type out so much code.

I just want to learn good practices from the start.

Thanks for your help.

[chintansshah]

Whenever you assign a value to a variable, at that time apply mysql_real_escape_string() filter.

 

like $artist = mysql_real_escape_string($_POST['artist']);

$song = mysql_real_escape_string($_POST['song'])

etc...

[emediastudios]

Thanks mate

[Oziam]

or you could use a common db inc file and have POST escaped automatically like;

 

foreach ($_POST as $key => $value){

$_POST[$key] = mysql_real_escape_string($value);

}

 

this can save alot of time re-writing mysql_real_escape_string all the time!

You could also use this for GET and REQUEST.

 

Personally I use this and a similar code for htmlentities and strip_tags

 

foreach ($_POST as $key => $value){

$_POST[$key] = htmlentities(strip_tags($value, ENT_QUOTES));

}