Jump to content

PHP double quotes in input

sshaham1

By sshaham1
in PHP Coding Help

 Share

Recommended Posts

sshaham1 Newbie

sshaham1

Posted
Posted

I'm designing a website that takes user input from in a <textarea></textarea> and enters the input into a database. Everything works besides if the user has double quotes (") in his/her message. (the name of the table that I want to add to is alluserposts)

 

What i have so far is the following:

from index.php:

<form action="insert2.php" method="post"><textarea name="user_post" rows="6" cols="35"></textarea></form>

 

from insert2.php:

mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $_POST['user_post'] . "\")" ,$db) or die(mysql_error($db));

 

I want the user to be able to input any character. How can i do that?

Link to comment
https://forums.phpfreaks.com/topic/224631-php-double-quotes-in-input/
Share on other sites
QuickOldCar Regular Member

QuickOldCar

Posted
Posted

For reference.

 

Everyone working with php should at least read the php manual, or relative content with what they are doing.

http://www.php.net/manual/en/index.php

 

Here's just the string functions

http://www.php.net/manual/en/ref.strings.php

 

for any user input, don't use directly any superglobals in mysql queries, Those would be like $_POST,$_GET,$_REQUEST and so on.

http://php.net/manual/en/language.variables.superglobals.php

 

always escape them first

http://php.net/manual/en/function.mysql-real-escape-string.php

 

use for cleaning the input the following

http://php.net/manual/en/function.htmlentities.php

or

http://www.php.net/manual/en/function.htmlspecialchars.php

 

to strip the slashes

http://www.php.net/manual/en/function.stripslashes.php

 

And as Pikachu2000 said, you would be open to all types of attacks not taking the above measures.

I guarantee you would get hacked,deleted databases and whatnot fairly fast.

 

The biggest rule is "Never Trust User Input", not ever.

You just can't allow every character.

sshaham1 Newbie

sshaham1

Posted
  • Author
Posted

is this still vulnerable to SQL injections?

 

$data = $_POST['user_post'];

$data = trim($data);

$data = stripslashes($data);

$data = htmlspecialchars($data);

mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $data . "\")" ,$db) or die(mysql_error($db));

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

trim() is fine to use. You don't want to arbitrarily use stripslashes(); first check to see if magic_quotes_gpc() is on. There's no need to use htmlspecialchars() until you display the data. So a very basic escaping routine for string type data would be like this. You can also place this in a function wrapper, if desired.

 

require_once('your_db_connect_script.php'); // must be connected before using mysql_real_escape_string()
$data = trim($_POST['user_post']);
if( get_magic_quotes_gpc() ) {
$data = mysql_real_escape_string(stripslashes($data));
} else {
$data = mysql_real_escape_string($data);
}
//$data can now be used in the query string.

 

Note that this doesn't validate that the incoming data is actually of the type you want it to be. That needs to be handled through validation routines..

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.