Jump to content

How do I escape "illegal" characters?


Darkwoods

Recommended Posts

Hey I wasn't able to add/edit some text to the mysql database because of some character

how can i bypass them

should i use the mysql_real_escape_string() ? if yes how do i make it work with the code i got?

 

thaks

 

<?php
include "../configdb.php";

$id = $_GET['id'];
if(isset($_POST['submit']))
{
    //global variables
$name = $_POST['name'];
$footer = $_POST['footer'];


//run the query which adds the data gathered from the form into the database		   
$result = mysql_query("UPDATE pages SET name='$name', footer='$footer' WHERE id='$id' ",$connect);
echo "<b>Your Page have been edited successfully";
// echo "<meta http-equiv=Refresh content=2;url=index.php>";
}
elseif($id)
{
	$result = mysql_query("SELECT * FROM pages WHERE id='$id' ",$connect);
        while($row = mysql_fetch_assoc($result))
		{
			 ?>

<h3>::Edit Page</h3>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>?id=<?php echo $row['id']?>">
<input type="hidden" name="id" value="<?php echo $row['id']?>">
<textarea name="name"><?php echo $row['name']?></textarea>
<input name="footer" size="40" maxlength="255" value="<?php echo $row['footer']?>">
<input type="submit" name="submit" value="Submit">       

     
      <?php
		}
}
?>

Link to comment
Share on other sites

It depends on the data type you expect. If it's a string value then yes, mysql_real_escape_string() is appropriate before using the string in a mysql database query. For other types, validate it and cast it as the proper type.

 

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

 

//string type data
if( isset($_POST['name']) ) {
     $name = mysql_real_escape_string($_POST['name']);
}

//integer type
if( isset($_POST['id']) && ctype_digit($_POST['id']) {
     $id = (int) $_POST['id'];
}

 

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

Link to comment
Share on other sites

Sidenote: to submit a form to itself don't use $_SERVER['PHP_SELF'] as it's a known XSS vulnerability, use action="" instead.

 

Agreed, though I will offer another solution, though either work; instead of leaving the attribute blank, put the actual name of the file you are working on, as the forms default action is to post to itself - so in essence, if your file is called index.php that that form is in, just put index.php as the forms action.

 

The only reason I point this out is because I *believe* that it might not pass strict html standards when you come to validate..

 

Rw

Link to comment
Share on other sites

i just fixed the $_SERVER['PHP_SELF'] thanks for the advice :)

 

i added

 

if( isset($_POST['name']) ) {
     $name = mysql_real_escape_string($_POST['name']);
}

 

but i'm still having problem with bypassing characters which are not supported such as ‘  it is sending the data to the mysql now unlike before but it cuts the text if there is an ‘

 

what should i do?

 

thanks

Link to comment
Share on other sites

There are a few ways of doing this, primarily mysql_real_escape_string() is the first way to go, but if that doesn't do what you want it to, try addslashes() as this does more or less the same thing, but as the manual states, check that you have magic_quotes_gpc() on, if not php will throw an error.

 

But you will need to stripslashes() the other side ;p

 

Rw

Link to comment
Share on other sites

Have you made a DB connection at that point?

 

If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

 

Try this and see if it makes a difference:

$name = mysql_real_escape_string($_POST['name'], $connect);

Link to comment
Share on other sites

i tried addslashes() but it is still the same :(

magic_quotes_gpc()  is on know and it didn't change anything

 

 

yeah there is a DB connection the data is getting to the mysql but for example if i try to add text such as ( The whatever ‘Countdown’ will begin now!) the text will cut and will only get  (The whatever) to the database

 

 

Have you made a DB connection at that point?

 

Try this and see if it makes a difference:

$name = mysql_real_escape_string($_POST['name'], $connect);

Link to comment
Share on other sites

Just tried validating the HTML using <form action="", and it validates fine both as HTML 4.01 strict, and XHTML 1.0 strict.

 

I wasn't sure, but never really needed to check, I always define something in there, but generally all forms *should* have a separate process handler.

 

In answer to your question, you will need to see if there are any other chars that play up, BUT either using real_escape or addslashes should cure this issue, try the same sentence or string of text without the quotes to see if there is any other issues.

 

A rather convoluted solution would be to use htmlentities before the database insertion as this will convert the quotes into their html counterparts, quite useful I think..

 

Rw

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.