Nodral Posted June 7, 2011 Share Posted June 7, 2011 Hi All I'm trying to create a 'safe' string from a user input to be written to a database, however when I use the mysql_real_escape_string function I just get an empty variable returned. I've even tried hard-coding the variable and it just gets wiped. <?php session_start(); include_once("connect.php"); include_once("is_logged_in.php"); include_once("is_admin.php"); $USERID=$_SESSION['USERID']; $new_question=$_POST['new_question']; $dirty_questiontext=$_POST['questiontext']; $dirty_new_text=$_POST['new_text']; $new_id=$_POST['new_id']; $type=$_POST['type']; $new_text=mysql_real_escape_string($dirty_new_text); echo "this is the new stuff" . $new_text; //get custom functions include_once("functions.php"); //check data tables exist and create if not include("table_check.php"); // add any new questiontext if(isset($questiontext)){ $sql="INSERT INTO ls_questions (text, category) VALUES ('$questiontext', '$type')"; mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error()); unset($new_question); unset($questiontext); unset($new_text); unset($new_id); } //any questions edited? /*if(isset($new_text)){ $sql='UPDATE ls_questions SET text = "' . $new_text . '",category= "' . $type . '" WHERE id = ' . $new_id; mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error()); unset($new_question); unset($questiontext); unset($new_text); unset($new_id); } */ //is user an admin and shall we add / edit question text? include("header.php"); echo"</head><body>"; if ($_SESSION['role']=="admin"){ //has user selected to add a question? if(isset($new_question)){ if($new_question=="create"){ ?> <p>Add text of new question</p> <form method="POST" action=""> <input type="text" name="questiontext" size="100"> <select name="type"> <option value="Activist">Activist</option> <option value="Reflector">Reflector</option> <option value="Theorist">Theorist</option> <option value="Pragmatist">Pragmatist</option> </select> <input type="submit"> </form> <?php }else{ $text=get_question_text($new_question, "ls_questions"); echo"<p>Previous question text is $text</p><p>Please enter new text in box below</p>"; ?> <form method="POST" action=""> <input type="text" name="new_text" size="100" value="<?php echo $text; ?>"> <input type="hidden" name="new_id" value="<?php echo $new_question; ?>"> <select name="type"> <option value="Activist">Activist</option> <option value="Reflector">Reflector</option> <option value="Theorist">Theorist</option> <option value="Pragmatist">Pragmatist</option> </select> <input type="submit"> <? } } echo"<p>Below is a list of current questions, either select one to edit or add a new one</p>"; //get all current questions and put in array with id numbers as key $sql="SELECT id, text, category FROM ls_questions"; $sql=mysql_query($sql); $count=mysql_num_rows($sql); while($row=mysql_fetch_array($sql)){ $all_questions[$row['id']][$row['category']]=$row['text']; } //echo "<H1>count - $count</H1>"; //echo out existing questions as list with a radio button to edit if($count!=0){ ?> <table border="2"> <form method="POST" action=""> <tr><td>Question Text</td><td>Type</td><td>Edit?</td><tr> <tr><td colspan="2">Add new question</td><td><input type="radio" name="new_question" value="create"></td></tr> <?php while(list($id, $array)=each($all_questions)){ while(list($category, $text)=each($array)){ echo'<tr><td>' . $text . '</td><td>' . $category . '</td><td><input type="radio" name="new_question" value="' . $id . '"</td></tr>'; } } ?> <tr><td colspan="3" align="center"><input type="submit"></td></tr> <form> </table> <?php }else{ ?> <p>Add text of first question</p> <form method="POST" action=""> <input type="text" name="questiontext" size="100"> <select name="type"> <option value="Activist">Activist</option> <option value="Reflector">Reflector</option> <option value="Theorist">Theorist</option> <option value="Pragmatist">Pragmatist</option> </select> <input type="submit"> </form> <?php } }else{ echo "fail"; } ?> </body> Any ideas? Quote Link to comment Share on other sites More sharing options...
fugix Posted June 7, 2011 Share Posted June 7, 2011 1. Are you sure that you are properly connected to your database? 2. Did you check to make sure that $_POST['new_text'] is actually passing data properly Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted June 7, 2011 Share Posted June 7, 2011 update this line if(isset($questiontext)){ if(isset($_POST['questiontext'])){ or even like if(!isset($_POST['questiontext'])){ echo "post question text not set"; } else { //execture query here } Checking for empty values may be nice as well if(isset($_POST['questiontext']) && $_POST['questiontext'] != ""){ //execute the query } else { echo "post question text not set"; } Just some examples of checking, there are more and even different ways Nowhere in the code do I see $questiontext EDIT: Lemme rephrase Nowhere do I see $questiontext assigned to a $_POST I see $dirty_questiontext=$_POST['questiontext']; instead of most likely you meant $questiontext=$_POST['questiontext']; Quote Link to comment Share on other sites More sharing options...
Nodral Posted June 8, 2011 Author Share Posted June 8, 2011 Hi Guys Thanks for the help, but $_POST['questiontext'] is set by the form around line 126. I know the database is connected as the form populates information from there prior to submission. The problem is not with the variable $questiontext, this will be added to the code later once I can find out why the escape function will not work with $dirty_new_text and $new_text. As mentioned I have manually set a value to $ new_text, and it works until I pass it to the mysql_real_escape_string function. Any more ideas? Quote Link to comment Share on other sites More sharing options...
Drummin Posted June 8, 2011 Share Posted June 8, 2011 The mysql_real_escape_string is working just fine (after I added my DB connection), though the logic of your forms might be misleading. Add print post to your page to make sure the form names you think are being sent are actually the one's being sent, in other words looking for "new_text" and not "questiontext" or "new_question". It worked fine for me once I figured out which form to use. print_r($_POST) ; Quote Link to comment Share on other sites More sharing options...
fugix Posted June 8, 2011 Share Posted June 8, 2011 if it was an error with the actual mysql_real_escape_string() function, when you echoed the string it would return false on error, not empty. this makes me believe that data is not actually being passed to the variable before using the function on it. Quote Link to comment Share on other sites More sharing options...
Nodral Posted June 8, 2011 Author Share Posted June 8, 2011 I've sorted this problem The issue was there was a ` rather than a ' . For some reason this was not being escaped. Quote Link to comment Share on other sites More sharing options...
fugix Posted June 8, 2011 Share Posted June 8, 2011 interesting, thank you for telling us what was causing the error. Edit: please mark this thread as solved in the lower left hand of the page. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted June 8, 2011 Share Posted June 8, 2011 I've sorted this problem The issue was there was a ` rather than a ' . For some reason this was not being escaped. mysql_real_escape_string isn't supposed to escape backticks . . . Quote Link to comment Share on other sites More sharing options...
fugix Posted June 8, 2011 Share Posted June 8, 2011 I've sorted this problem The issue was there was a ` rather than a ' . For some reason this was not being escaped. mysql_real_escape_string isn't supposed to escape backticks . . . thats what I thought too, i believe that the only special chars that mysql_real_escape_string() cannot escape are the % and _ since they can be used as wildcards. I'm thinking that maybe he placed a ` in one of his post indices instaed of a ' ?? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.