Jump to content


Photo

mysql_escape_string causes page to be littered with 'rn'.


  • Please log in to reply
3 replies to this topic

#1 bertieboy_93

bertieboy_93
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 22 September 2006 - 07:21 PM

I have an update script which receives some text from a session variable and updates an entry in the database with it. Apostrophes were usetting it. I have been told to use stripslashes and mysql_escape_string to solve the problem, but with the code below, at the beggining of each line and at each line break 'rn' is displayed. Here is my current update script:
<?php
//Update database
$query = "UPDATE Main SET PageHeading = '$pageheading', PageText = '$pagetext' WHERE PageName = '$pagename'";
$query = mysql_real_escape_string($query);
$query = stripslashes($query);
mysql_query($query) or die(mysql_error());
?>

Can someone please explain why this is happening? Thanks for any help you can give me.

#2 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 22 September 2006 - 07:27 PM

You want to use the mysql_real_escape_string() and stripslashes() functions on each piece of data not on the whole query:
<?php
//Update database
$query = "UPDATE Main SET PageHeading = '" . mysql_real_escape_string(stripslashes($pageheading)) . 
"', PageText = '" . mysql_real_escape_string($pagetext . 
"' WHERE PageName = '" . mysql_real_escape_string(stripslashes($pagename)) . "'";
mysql_query($query) or die("There was a problem with the query: $query<br>" . mysql_error());
?>

Ken

#3 bertieboy_93

bertieboy_93
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 22 September 2006 - 07:56 PM

I followed your advice and it worked brilliantly! I'd just like to express my thanks, it's fantastic that so many people are willing to help.

#4 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 22 September 2006 - 09:54 PM

its less confusing if you do the strings before adding to the database

(I mention this a lot, but)
Here is my function I use, and how I use it

<?php
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
return $str;
}


//For Stirngs, you WANT in lowercase, Usernames ect
$username = MakeSafe($_POST["username"], 1);

//Strings keeping the CaSe
$name = MakeSafe($_POST["name"]);

//Then the query

$query = "UPDATE members SET username = ' ".$username." ', name = ' ".$name." ' WHERE id = ' ".$id." '";
$result = mysql_query($query1);

//This checks if the query was done
if($result){
echo "Everyting is done";
}else{
echo "There has been an error<br />\n";
//Remove this line when finished testing
echo mysql_error();
}
?>

Tell me the problem, I will try tell you the solution




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users