What must be a simple answer.....just not for me

[Stevis2002]

Hi again all,

 

When i add text to my database through a form, it throws an error if i type 'wouldn't', but not if i type a word without an apostrophe.

 

Is there a simple fix for this please peeps?

 

Many Thanks

 

[email protected]+vat

[Pikachu2000]

You should be sanitizing all incoming form data with mysql_real_escape_string() (if you're using MySQL, that is).

[AbraCadaver]

Assuming mysql use mysql_real_escape_string().  If not use the one for your DB.

[Stevis2002]

Thanks guys.

 

So i looked up the  usage of mysql_real_escape_string(), and changed my code, as below, but it has given me errors now.

 

&_POST['customername'] = mysql_real_escape_string($_POST['customername']);
&_POST['town'] = mysql_real_escape_string($_POST'[town']);
&_POST['testimonial'] = mysql_real_escape_string($_POST['testimonial']);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
('$_POST[customername]','$_POST[town]','$_POST[testimonial]','$_POST[sort_order]','$imgname')";

[Pikachu2000]

And what are those errors?

[Stevis2002]

Now change dto

 

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$customername = check_input($_POST['customername']);
$town = check_input($_POST['town']);
$testimonial = check_input($_POST['testimonial']);

&_POST['customername'] = mysql_real_escape_string($customername);
&_POST['town'] = mysql_real_escape_string($town);
&_POST['testimonial'] = mysql_real_escape_string($testimonial);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
('$_POST[customername]','$_POST[town]','$_POST[testimonial]','$_POST[sort_order]','$imgname')";

[ManiacDan]

You're not properly quoting your array indexes.

 

You also added that fancy new function and you aren't using it.

 

-Dan

[BlueSkyIS]

&_POST????

[Stevis2002]

You're not properly quoting your array indexes.

 

You also added that fancy new function and you aren't using it.

 

-Dan

Thanks Dan, but my script calls the function check_input when the info gets posted in the customer name, town and testimonial fields....doens't it?

What do you mean about properly quoting the arrays? Should it be " instead of '?

[Stevis2002]

Ok, got rid of some code and now have

$customername = check_input($_POST['customername']);
$town = check_input($_POST['town']);
$testimonial = check_input($_POST['testimonial']);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
('$_POST[customername]','$_POST[town]','$_POST[testimonial]','$_POST[sort_order]','$imgname')";

}

but still have the error as stated before

[Pikachu2000]

// ASSUMES DB CONNECTION ALREADY ESTABLISHED . . .

function check_input($value) {
// Stripslashes
if (get_magic_quotes_gpc()) {
	$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value)) {
	$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

$_POST = array_map('check_input', $_POST);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
('$_POST[customername]','$_POST[town]','$_POST[testimonial]','$_POST[sort_order]','$imgname')";

[Stevis2002]

Many Thanks for that mod!

 

1: still got the errors

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$_POST = array_map('check_input', $_POST);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
('$_POST[customername]','$_POST[town]','$_POST[testimonial]','$_POST[sort_order]','$imgname')";

 

2. How do you get to know about all of these arrays?

I look at php.net and others but i can never get anything to stick in my head.

I can learn by being shown, but never out of a 'book' as such

[Pikachu2000]

Exactly what errors are they? Paste 'em in.

[Stevis2002]

Exactly what errors are they? Paste 'em in.

Sorry mate.....still the same one caused by the '

 

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Steve'',''Brum'',''fsdhewty\'f'','12','uploaded_images/transparent.gif')' at line 3

 

EDIT: Sorry, not the ' causing errors now, but not sure what is

[ManiacDan]

Debugging tips:

 

1)  Turn on error reporting.  You had & instead of $, error reporting would have told you this.

 

2)  Print your variables.  This means printing $sql and looking at it.  See where the problem is.

 

-Dan

[Pikachu2000]

I see what's going on here now. The function encloses string values in single quotes before returning them, so they're getting double quoted.

 

Rewrite the query string as:

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
({$_POST['customername']}, {$_POST['town']'}, {$_POST['testimonial']}, {$_POST['sort_order']}, $imgname)";

[Stevis2002]

Thanks for help Pika.

 

Now getting error saying..... Error: Unknown column 'uploaded_images' in 'field list'

 

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$_POST = array_map('check_input', $_POST);

$sql="INSERT INTO testimonials (CustomerName, Town, Testimonial, SortOrder, Images)
VALUES
({$_POST['customername']}, {$_POST['town']}, {$_POST['testimonial']}, {$_POST['sort_order']}, $imgname)";

}
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "<p align=center><b>1 testimonial added</b></p>";

mysql_close($con);

 

 

[Pikachu2000]

Change this line:  die('Error: ' . mysql_error());

 

To this:  die("<br>Query: $sql<br>Error: " . mysql_error() . '<br>');

 

And see what the query string looks like now.

 

EDIT: Fixed typo.

[Stevis2002]

Change this line:  die('Error: ' . mysql_error());

 

To this:  die("<br>Query: $sql<br>Error: " . mysql_error() '<br>');

 

And see what the query string looks like now.

 

Just getting a blank page now

[Pikachu2000]

Nevermind, I removed one too many sets of quotes. Re-enclose $imgname in single quotes in the query string . . . '$imgname')";

[Stevis2002]

Nevermind, I removed one too many sets of quotes. Re-enclose $imgname in single quotes in the query string . . . '$imgname')";

 

Still blank page mate

[Pikachu2000]

And fixed typo in post above with die() modification. (Stupiod fingerts)

[Stevis2002]

Cheers mate, All error messages gone and it says 1 record added, but there is no record added

[Stevis2002]

Cheers mate, All error messages gone and it says 1 record added, but there is no record added

 

No, sorry mate,.....working fine.

my mistake, i had to change the max records from 10, to 100, as the record i put in was 11 lol

 

Many, many thanks mate.

 

U have slayed my oncoming headache lol

[Pikachu2000]

Well, I seem to have given myself one in the process. LOL. Shouldn't have been as complicated as I managed to make it, but what can ya do?