emediastudios Posted October 10, 2010 Share Posted October 10, 2010 Hi everyone, I have been building my first admin from scratch, and am going quite well. But now i have a problem that i can't resolve. The website is basically a library of quotes that users can submit, the admin then needs to approve and edit them before they are published on the site. I have the admin built, and can display all the records and delete, but am having a problem with the update. If the quote has a ' in the text it throws an error. If it doesn't it updates fine. There needs to a cleaning function or something applied, and as i am still learning i am lost to how to do this, I added the addslashes but it still throws the error. Code below. case 'updatequote'; $db_name = "auth"; $table_name = "quotes"; $connection = @mysql_connect("localhost", "root", "testing") or die(mysql_error()); $db = @mysql_select_db($db_name, $connection) or die(mysql_error()); foreach($_POST as $input) { $_POST['array_key'] = addslashes($input); } $sql = "UPDATE $table_name SET artist = '$artist',song = '$song',quote = '$quote' WHERE quoteid = ".$_REQUEST['quoteid'].""; $result = @mysql_query($sql,$connection) or die(mysql_error()); echo "Quote Edited Successfully"; break; Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 10, 2010 Share Posted October 10, 2010 should use mysql_real_escape_string() should solve your problem Quote Link to comment Share on other sites More sharing options...
chintansshah Posted October 10, 2010 Share Posted October 10, 2010 I think, htmlentities() also helps to resolve this problem. Quote Link to comment Share on other sites More sharing options...
emediastudios Posted October 10, 2010 Author Share Posted October 10, 2010 should use mysql_real_escape_string() should solve your problem Thanks, i did read that on the internet, but don't know where to place it in the code, I'll keep looking, Thanks again. Quote Link to comment Share on other sites More sharing options...
chintansshah Posted October 10, 2010 Share Posted October 10, 2010 $sql = "UPDATE $table_name SETartist = '".mysql_real_escape_string($artist)."',song = '".mysql_real_escape_string($song)."',quote = '".mysql_real_escape_string($quote)."' WHERE quoteid = ".mysql_real_escape_string($_REQUEST['quoteid']).""; Quote Link to comment Share on other sites More sharing options...
emediastudios Posted October 10, 2010 Author Share Posted October 10, 2010 $sql = "UPDATE $table_name SETartist = '".mysql_real_escape_string($artist)."',song = '".mysql_real_escape_string($song)."',quote = '".mysql_real_escape_string($quote)."' WHERE quoteid = ".mysql_real_escape_string($_REQUEST['quoteid']).""; Awesome, Chintan, your the man! This works perfect. Just one question though, because i am teaching myself php mysql, is this the right way to do it, by this i mean, can it be simplified as a function or in a different way so i don't have to type out so much code. I just want to learn good practices from the start. Thanks for your help. Quote Link to comment Share on other sites More sharing options...
chintansshah Posted October 10, 2010 Share Posted October 10, 2010 Whenever you assign a value to a variable, at that time apply mysql_real_escape_string() filter. like $artist = mysql_real_escape_string($_POST['artist']); $song = mysql_real_escape_string($_POST['song']) etc... Quote Link to comment Share on other sites More sharing options...
emediastudios Posted October 10, 2010 Author Share Posted October 10, 2010 Thanks mate Quote Link to comment Share on other sites More sharing options...
Oziam Posted October 10, 2010 Share Posted October 10, 2010 or you could use a common db inc file and have POST escaped automatically like; foreach ($_POST as $key => $value){ $_POST[$key] = mysql_real_escape_string($value); } this can save alot of time re-writing mysql_real_escape_string all the time! You could also use this for GET and REQUEST. Personally I use this and a similar code for htmlentities and strip_tags foreach ($_POST as $key => $value){ $_POST[$key] = htmlentities(strip_tags($value, ENT_QUOTES)); } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.