colleyboy Posted January 25, 2011 Share Posted January 25, 2011 OK, I am confused a little. I have a script which processes the form data and then uploads it to the mysql database. Simple. Only problem I have is when the textbox is filled with anything with a " it adds a \ before it. example: Have a "great" day is now Have a \"Great\" day So I thought maybe it could be the striplashes. My code isnt working though. Any ideas peoples? CODE: <?php mysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error()); mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error()); $title = stripslashes(trim($_POST['title'])); $content = stripslashes(trim($_POST['content'])); $title = mysql_real_escape_string(trim($_POST['title'])); $content = mysql_real_escape_string(trim($_POST['content'])); $what_id=$_POST['what_id']; mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error()); include 'updatedhyperlink1.php'; ?> Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 25, 2011 Share Posted January 25, 2011 Take a cloase look at your code! You are first defining $title and $content suing strip_slashes() and trim() on the POST values. Then you are redefining those variables using mysql_real_escape_string() again on the POST values. So you just lost anything you had with trim() and strip_slashes(). Quote Link to comment Share on other sites More sharing options...
colleyboy Posted January 25, 2011 Author Share Posted January 25, 2011 I see do I need to do this then? <?phpmysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error()); mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error()); $title = mysql_real_escape_string(stripslashes(trim($_POST['title']))); $content = mysql_real_escape_string(stripslashes(trim($_POST['content']))); $what_id=$_POST['what_id'];mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error()); include 'updatedhyperlink1.php';?> Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 25, 2011 Share Posted January 25, 2011 The manual offers some sample code you can add which will use strip_slashes on all your user submitted data ONLY if the server has magic quotes turned on. In the interest of portability you should use that instead. Otherwise, if you move your code to another server or the settings are changed on your current server the strip_slashes will remove content that it shouldn't. Here is the page withthe code to programatically remove magic quotes if used: http://www.php.net/manual/en/security.magicquotes.disabling.php Implement that in any page that takes user submitted data. If you have a page that is included in all pages (which I always do) include the code in there. Then your code just needs to look like this: mysql_connect("localhost", "xxxxxxxx", "xxxxxxxxxxxx") or die(mysql_error()); mysql_select_db("xxxxxxxxxxxxx") or die(mysql_error()); $title = mysql_real_escape_string(trim($_POST['title'])); $content = mysql_real_escape_string(trim($_POST['content'])); $what_id = (int) $_POST['what_id']; mysql_query("UPDATE homepage SET title='$title', content='$content' WHERE id = '1'") or die(mysql_error()); include 'updatedhyperlink1.php'; Also, be sure to validate/cleanse ALL user input. I assumed that "what_id" would be an integer, so I used (int) to force it to be an int even if the user somehow submitted anything else. Quote Link to comment Share on other sites More sharing options...
colleyboy Posted January 25, 2011 Author Share Posted January 25, 2011 Many Thanks, Well I have different pages with different submission forms with different rules. But that did work fine adding the striplashes in with the trim and escape string. Knew it was something easy and obvious. Thanks, Ian Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.