How do I escape "illegal" characters?

[Darkwoods]

Hey I wasn't able to add/edit some text to the mysql database because of some character

how can i bypass them

should i use the mysql_real_escape_string() ? if yes how do i make it work with the code i got?

 

thaks

 

<?php
include "../configdb.php";

$id = $_GET['id'];
if(isset($_POST['submit']))
{
    //global variables
$name = $_POST['name'];
$footer = $_POST['footer'];


//run the query which adds the data gathered from the form into the database		   
$result = mysql_query("UPDATE pages SET name='$name', footer='$footer' WHERE id='$id' ",$connect);
echo "<b>Your Page have been edited successfully";
// echo "<meta http-equiv=Refresh content=2;url=index.php>";
}
elseif($id)
{
	$result = mysql_query("SELECT * FROM pages WHERE id='$id' ",$connect);
        while($row = mysql_fetch_assoc($result))
		{
			 ?>

<h3>::Edit Page</h3>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>?id=<?php echo $row['id']?>">
<input type="hidden" name="id" value="<?php echo $row['id']?>">
<textarea name="name"><?php echo $row['name']?></textarea>
<input name="footer" size="40" maxlength="255" value="<?php echo $row['footer']?>">
<input type="submit" name="submit" value="Submit">       

     
      <?php
		}
}
?>

[rwwd]

mysql_real_escape_string($_POST['someValue']); etc..

 

Rw

[Pikachu2000]

It depends on the data type you expect. If it's a string value then yes, mysql_real_escape_string() is appropriate before using the string in a mysql database query. For other types, validate it and cast it as the proper type.

 

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

 

//string type data
if( isset($_POST['name']) ) {
     $name = mysql_real_escape_string($_POST['name']);
}

//integer type
if( isset($_POST['id']) && ctype_digit($_POST['id']) {
     $id = (int) $_POST['id'];
}

 

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

[rwwd]

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

 

Agreed, though I will offer another solution, though either work; instead of leaving the attribute blank, put the actual name of the file you are working on, as the forms default action is to post to itself - so in essence, if your file is called index.php that that form is in, just put index.php as the forms action.

 

The only reason I point this out is because I *believe* that it might not pass strict html standards when you come to validate..

 

Rw

[Pikachu2000]

That may be true. Actually, since I've nothing better to do, I'll check it out, and let you know.

[Darkwoods]

i just fixed the $_SERVER['PHP_SELF'] thanks for the advice

 

i added

 

if( isset($_POST['name']) ) {
     $name = mysql_real_escape_string($_POST['name']);
}

 

but i'm still having problem with bypassing characters which are not supported such as ‘  it is sending the data to the mysql now unlike before but it cuts the text if there is an ‘

 

what should i do?

 

thanks

[rwwd]

There are a few ways of doing this, primarily mysql_real_escape_string() is the first way to go, but if that doesn't do what you want it to, try addslashes() as this does more or less the same thing, but as the manual states, check that you have magic_quotes_gpc() on, if not php will throw an error.

 

But you will need to stripslashes() the other side ;p

 

Rw

[Pikachu2000]

Just tried validating the HTML using <form action="", and it validates fine both as HTML 4.01 strict, and XHTML 1.0 strict.

[Pikachu2000]

Have you made a DB connection at that point?

 

If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

 

Try this and see if it makes a difference:

$name = mysql_real_escape_string($_POST['name'], $connect);

[Darkwoods]

i tried addslashes() but it is still the same

magic_quotes_gpc()  is on know and it didn't change anything

 

 

yeah there is a DB connection the data is getting to the mysql but for example if i try to add text such as ( The whatever ‘Countdown’ will begin now!) the text will cut and will only get  (The whatever) to the database

 

 

Have you made a DB connection at that point?

 

Try this and see if it makes a difference:

$name = mysql_real_escape_string($_POST['name'], $connect);

[rwwd]

Just tried validating the HTML using <form action="", and it validates fine both as HTML 4.01 strict, and XHTML 1.0 strict.

 

I wasn't sure, but never really needed to check, I always define something in there, but generally all forms *should* have a separate process handler.

 

In answer to your question, you will need to see if there are any other chars that play up, BUT either using real_escape or addslashes should cure this issue, try the same sentence or string of text without the quotes to see if there is any other issues.

 

A rather convoluted solution would be to use htmlentities before the database insertion as this will convert the quotes into their html counterparts, quite useful I think..

 

Rw

[Darkwoods]

hey thanks for your help guys

 

 

im using TinyMCE now so it is working fine thanks for your help anyway

[tastro]

mark the thread as solved then please. tnx