Jump to content

newb needs help: Single quotes going into a database... err...


Recommended Posts

I have a simple form that connects to this php page. Only two variables, "ArticleDescription" & "URL". I've tried a number of things, several of which are listed below, but have had no success. I'm certain it's just my idiocy but am requesting some help with this. I KNOW it's an easy fix, it's just over my head, I'm only four days into programming, so I'm a complete newb. Your kindness is requested.

 

----

<?php

 

// connection

 

mysql_select_db("doofyd5_comments", $con);

 

$ArticleDescription=mb_convert_encoding($ArticleDescription, 'UTF-8', 'UTF-8');

$URL=htmlspecialchars($URL, ENT_QUOTES);

$ArticleDescription=str_replace('\"','"',$ArticleDescription);

 

$sql="INSERT INTO web_articles (ArticleDescription, URL) VALUES ('$_POST[ArticleDescription]','$_POST')";

 

if (mysql_query($sql,$con)) {

    header ("location:desiredurl");

    require_once('desiredurl");

    exit();

    }

    else {

 

echo "You may have added a single quote to the article description!";

}

 

mysql_close($con)

 

?>

----

doofy,

 

  You're method of validation is not validation at all. Checking whether the query executes or not is not a way of validating whether it has quotes or not.

 

You need to validate before hand, if that's what you're trying to do. Something more like this:

 

<?php

// connection

mysql_select_db("doofyd5_comments", $con);

$ArticleDescription=mb_convert_encoding($ArticleDescription, 'UTF-8', 'UTF-8');
$URL=htmlspecialchars($URL, ENT_QUOTES); // ENT_QUOTES converts all quotes to HTML equivalent. ENT_COMPAT converts only Double Quotes.
$ArticleDescription=str_replace('\"','"',$ArticleDescription);

$sql="INSERT INTO web_articles (ArticleDescription, URL) VALUES ('$_POST[ArticleDescription]','$_POST[url]')";

if (mysql_query($sql,$con)) {
    header ("location:desiredurl");
    require_once('desiredurl");
    exit();
    }
    else {

echo "An unexpected error occured.";
  // ADMIN ERROR MESSAGE
  //echo mysql_error();
}

mysql_close($con)

?>

--- Edit ---

Furthermore, you have not actually identified what the problem you are having is.

Thanks for the quick reply and bare with me.

 

I've added "$ArticleDescription=mysql_real_escape_string($ArticleDescription);" to the code but I'm still getting the single quote error when trying to use a '.

 

Any additional help for this dummy would be mighty appreciated. Thanks in advance for your patience!

 

-Chris

Following error message occured:

 

"Warning: Unexpected character in input: ''' (ASCII=39) state=1 in /home/doofyd5/public_html/trevor/admin/addtop5stories.php on line 18

 

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/doofyd5/public_html/trevor/admin/addtop5stories.php on line 23"

 

Thanks again for dealing with me, you don't understand how much I appreciate this.

-Chris

Try echo'ing all of your variables before using them. Like this. Don't forget to check $sql as well

 

echo '$ArticleDescription before changes: "' . $ArticleDescription . '"<br>';
echo '$URL before changes: "' . $URL . '"<br>';
$ArticleDescription=mb_convert_encoding($ArticleDescription, 'UTF-8', 'UTF-8');
$URL=htmlspecialchars($URL, ENT_QUOTES); // ENT_QUOTES converts all quotes to HTML equivalent. ENT_COMPAT converts only Double Quotes.
$ArticleDescription=str_replace('\"','"',$ArticleDescription);
echo '$ArticleDescription after changes: "' . $ArticleDescription . '"<br>';
echo '$URL after changes: "' . $URL . '"<br>';

Damn, typo when I was stripping the code.

 

Now I'm getting "An unexpected error occured.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'asdf','asdf')' at line 1"

 

I'll echo the code as requested. Thanks again for all this help!!!

-Chris

Use mysql_real_escape_string on the string if you want to allow single quotes. It will escape them properly.

 

Add that function to your variables.

<?php

// connection

mysql_select_db("doofyd5_comments", $con);

$ArticleDescription=mysql_real_escape_string(mb_convert_encoding($ArticleDescription, 'UTF-8', 'UTF-8'));
$URL=mysql_real_escape_string(htmlspecialchars($URL, ENT_QUOTES)); // ENT_QUOTES converts all quotes to HTML equivalent. ENT_COMPAT converts only Double Quotes.
$ArticleDescription=str_replace('\"','"',$ArticleDescription);

$sql="INSERT INTO web_articles (ArticleDescription, URL) VALUES ('$_POST[ArticleDescription]','$_POST[url]')";

if (mysql_query($sql,$con)) {
    header ("location:desiredurl");
    require_once("desiredurl");
    exit();
    }
    else {

echo "An unexpected error occured.";
  // ADMIN ERROR MESSAGE
  //echo mysql_error();
}

mysql_close($con)

?>

 

I've changed so much around now that I don't know where I'm at. I've removed the $posts in the sql query, and echoed as recommended. It works fine until I add a single quote ('), and then it display nothing in the variables if I do.

 

---

code:

// connection

 

echo '$ArticleDescription before changes: "' . $ArticleDescription . '"<br>';

echo '$URL before changes: "' . $URL . '"<br>';

$ArticleDescription=mysql_real_escape_string(mb_convert_encoding($ArticleDescription, 'UTF-8', 'UTF-8'));

$URL=mysql_real_escape_string(htmlspecialchars($URL, ENT_QUOTES)); // ENT_QUOTES converts all quotes to HTML equivalent. ENT_COMPAT converts only Double Quotes.

$ArticleDescription=str_replace('\"','"',$ArticleDescription);

echo '$ArticleDescription after changes: "' . $ArticleDescription . '"<br>';

echo '$URL after changes: "' . $URL . '"<br>';

 

$sql="INSERT INTO web_articles (ArticleDescription, URL)";

 

if (mysql_query($sql,$con)) {

echo "Sucessfully posted";

}

    else {

 

echo "An unexpected error occured.";

  // ADMIN ERROR MESSAGE

echo mysql_error();

}

 

mysql_close($con)

 

?>

---

 

form input:

---

$ArticleDescription: asdf  '  asdf

$URL: asdf

---

output:

---

$ArticleDescription before changes: ""

$URL before changes: ""

$ArticleDescription after changes: ""

$URL after changes: ""

An unexpected error occured.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

---

 

Thank you for the continued patience.

You are posting the $_POST[''] into the database. You need to post your edited information.

 

$sql="INSERT INTO web_articles (ArticleDescription, URL) VALUES ('$ArticleDescription','$URL')";

 

It should look like: (Note: I added devugging for you)

<?php

// connection

mysql_select_db("doofyd5_comments", $con);

echo '$ArticleDescription before changes: "' . $_POST['ArticleDescription'] . '"<br>';
echo '$URL before changes: "' . $_POST['URL'] . '"<br>';
$ArticleDescription=mysql_real_escape_string(mb_convert_encoding($_POST['ArticleDescription'], 'UTF-8', 'UTF-8'));
$URL=mysql_real_escape_string(htmlspecialchars($_POST['URL'], ENT_QUOTES)); // ENT_QUOTES converts all quotes to HTML equivalent. ENT_COMPAT converts only Double Quotes.
$ArticleDescription=str_replace('\"','"',$ArticleDescription);
echo '$ArticleDescription after changes: "' . $ArticleDescription . '"<br>';
echo '$URL after changes: "' . $URL . '"<br>';

$sql="INSERT INTO web_articles (ArticleDescription, URL) VALUES ('$ArticleDescription','$URL')";

if (mysql_query($sql,$con)) {
    header ("location:desiredurl");
    require_once("desiredurl");
    exit();
    }
    else {

echo "An unexpected error occured.";
  // ADMIN ERROR MESSAGE
  //echo mysql_error();
}

mysql_close($con)

?>

$sql="INSERT INTO web_articles (ArticleDescription, URL)";

 

...you removed the values from your query.

 

You're also, as you can see, not actually getting anything into your two variables anymore.

 

You need to take a step back and tackle this one section at a time.  FIRST:  Get those variables populated again.  You clearly broke or deleted the section that sets them.  If you never set them and you're relying on a "feature" called register_globals, you're doing it wrong.  That feature is supposed to be OFF and will disappear entirely in PHP6.

 

SECOND:  Now that you have the variables, ensure that the before/after for mysql_real_escape_string is correct.

 

THIRD:  Build a properly formatted SQL statement and echo it out.  Copy/pate it into your query browser or phpmyadmin and ensure it works.

 

FOURTH:  Take that SQL and run it in your page.

$sql="INSERT INTO web_articles (ArticleDescription, URL)";

 

...you removed the values from your query.

 

You're also, as you can see, not actually getting anything into your two variables anymore.

 

You need to take a step back and tackle this one section at a time.  FIRST:  Get those variables populated again.  You clearly broke or deleted the section that sets them.  If you never set them and you're relying on a "feature" called register_globals, you're doing it wrong.  That feature is supposed to be OFF and will disappear entirely in PHP6.

 

SECOND:  Now that you have the variables, ensure that the before/after for mysql_real_escape_string is correct.

 

THIRD:  Build a properly formatted SQL statement and echo it out.  Copy/pate it into your query browser or phpmyadmin and ensure it works.

 

FOURTH:  Take that SQL and run it in your page.

Notice they never got the values in the first place?

 

The code I posted above should fix all the problems. Keyword is "should".

 

Edit: In my post above with the code I also fixed your variables to grab the data from the $_POST

Ok, I did it section by section, and edited the debugged code. It works perfectly.

 

Thank you all for your time, I truly appreciate the support, especially for someone as inept as me. If this were building computers or tweaking them, I'd totally help, but this programming is just over my head being only 4 days in.

 

Thank you for your kindness and generosity.

-Chris

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.