Jump to content

User Input issue

fife

By fife
in PHP Coding Help

 Share

Recommended Posts

fife Advanced Member

fife

Posted
Posted

When a user on my site is entering words like

 

 

you're

don't

i've

 

the site is saying that the field has an error in it.  Is there a way to stop this and allow the correct formatting automatically.  each field is already ran through

 

trim,  nl2br, mysql_real_escape_string

 

Cheers

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Where is your validation code that is finding the input to be in error? My guess is that your server has "magic quotes" enabled which is automatically adding a backslash before quote marks. You should have a generic script that checks if magic quotes are enabled and, if so, uses stripslashes() on all user input.

 

See Example #2:

http://php.net/manual/en/security.magicquotes.disabling.php

Link to comment
Share on other sites
fife Advanced Member

fife

Posted
  • Author
Posted 

if(isset($_POST['insert_club'])){ 
//Process data for validation       
$intro  	= nl2br((trim($_POST['intro'])));    
$about    	= nl2br((trim($_POST['about'])));
//perform validations
$errors = array();    
if(empty($intro))    {        
$errors[] = "Please enter an introduction to your company";    
}
if(empty($about))    {        
$errors[] = "Please enter an about section of your company";    
}
//Check if there were errors
if(count($errors)===0)    {        
//	Prepare data for db insertion                 
$query = "UPDATE `table` SET 
`intro` = '$intro',
`about`			=	'$about'	
 WHERE validationID = '$validation1'";

$result= mysql_query($query) or die(mysql_error());

 

That is my form.  the error is....

 

 

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 've got no idea

Link to comment
Share on other sites
fife Advanced Member

fife

Posted
  • Author
Posted

yes sorry pikachu2000 its here.  That from from a copy page


if(isset($_POST['insert_club'])){ 
//Process data for validation       
$intro  	= nl2br((trim($_POST['intro'])));    
$about    	= trim($_POST['about']);
//perform validations
$errors = array();    
if(empty($intro))    {        
$errors[] = "Please enter an introduction to your company";    
}
if(empty($about))    {        
$errors[] = "Please enter an about section of your company";    
}
//Check if there were errors
if(count($errors)===0)    {    

$intro = mysql_real_escape_string($intro); 
$about = mysql_real_escape_string($about);    
//	Prepare data for db insertion                 
$query = "UPDATE `table` SET 
`intro` = '$intro',
`about`			=	'$about'	
 WHERE validationID = '$validation1'";

$result= mysql_query($query) or die(mysql_error());

 

Link to comment
Share on other sites
fugix Member

fugix

Posted
Posted

The single quote in your user data is ending your query prematurely. You will need to use mysql_real_escape_string() before inserting the data into your db

 

Edit: saw your new post, did you just add mysql_real_escape_string or was it there prior?

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

yes sorry pikachu2000 its here.  That from from a copy page

 

Yeah, right. I find it very interesting that the code from the "copied" page would produce the error you posted with input using a quote mark, yet you now say that you are actually using the 2nd code you posted which would not cause that error. Have your "or die" clause echo the query to the page and you should see exactly what the error is.

 

	

$result= mysql_query($query) or die("Query: {$query}<br>Error: ".mysql_error());

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Where is the connection to the DB made, I assume it comes before that code block? since you're getting an error from MySQL, echo the actual query string along with the error so you can see what is actually being passed to mysql_query().

 

$result= mysql_query($query) or die( "<br>Query: $query<br>Returned error: " . mysql_error() );

Link to comment
Share on other sites
fife Advanced Member

fife

Posted
  • Author
Posted

solved.  It was what you said.  I was reading the page without the real escape, nl2br and addslashes functions.  Thank you both for the error checking code.  i will be sure to use that again in the future!

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Something to consider:

 

I would advise against using nl2br() before saving the data to the database. You can always use nl2by when displaying the content to the page. The reason I say this is if you ever need to allow the user to edit the value. By using nl2br() when saving the content you have to then reverse that process before populating the data back into a text/textarea. Besides, You should be using nl2br() IN ADDITION TO htmlentities() to ensure the user input does not screw up the HTML code or introduce XSS exploits. So, I would advise storing the data exactly as the user input it (unless there is something you absolutely have to strip out). Then use the appropriate conversion based upon how you are displaying it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.