wmeredith Posted September 5, 2013 Share Posted September 5, 2013 Hi Guy's I have an issue when posting text that has a single quote " ' ". The data just won't load. //get template & load data $tpl = file_get_contents('tpl/update_form.html'); echo str_replace(array_keys($tpl_vars),array_values($tpl_vars),$tpl); } elseif(isset($_POST['update'])){ $notes = mssql_escape($_POST['notes']); $notes2 = mssql_escape($_POST['notes2']); $notes3 = mssql_escape($_POST['notes3']); $notes = $_POST['notes']; $notes2 = $_POST['notes2']; $notes3 = $_POST['notes3']; $tpl_vars = array(); $tpl_vars['{{title}}'] = "Session Notes Update Complete"; $sql1 = "UPDATE session_notes SET notes = '$notes', notes2 = '$notes2', notes3 = '$notes3' WHERE appointment_id = '$appointment_id'"; If any text contains an ' Single quote it won't updat the data in the table. Quote Link to comment Share on other sites More sharing options...
control_freak Posted September 5, 2013 Share Posted September 5, 2013 try using htmlspecialchars($_POST['key'], ENT_QUOTES); this should encode all the double and single quotes to html characters. Alternately, you can use str_replace function if you want to remove single quotes all the way from your strings str_replace("'", '', $_POST['key']); Quote Link to comment Share on other sites More sharing options...
kicken Posted September 5, 2013 Share Posted September 5, 2013 The quotes are cause errors in your query because you are not escaping your variables, or to be more precise, you are escaping them but then you over-write them with the original un-escaped values: //You escape them here like you should $notes = mssql_escape($_POST['notes']); $notes2 = mssql_escape($_POST['notes2']); $notes3 = mssql_escape($_POST['notes3']); //But then you replace them with the unescaped values. $notes = $_POST['notes']; $notes2 = $_POST['notes2']; $notes3 = $_POST['notes3']; Remove those last three lines. Quote Link to comment Share on other sites More sharing options...
wmeredith Posted September 5, 2013 Author Share Posted September 5, 2013 That seemed to work but removing the last three lines returnes Hex values. Not sure if the Unpack Hex is in the wrong area when removing the 3 lines you requested. Hers is the whole file; <?php session_start(); include('C:\inetpub\wwwroot\connect.php'); // echo "<pre>"; // print_r($_SESSION); // echo "</pre>"; function mssql_escape($data) { if(is_numeric($data)) return $data; $unpacked = unpack('H*hex', $data); return '0x' . $unpacked['hex']; } $provider_id = $_SESSION['provider_id']; $password = $_SESSION['password']; if(isset($_SESSION['provider_id'])) { $provider_id = $_SESSION['provider_id']; $password = $_SESSION['password']; $sql = " SELECT COUNT(1) as cnt FROM providers WHERE provider_id = '$provider_id' AND password = '$password' "; $params = array(); $options = array( "Scrollable" => SQLSRV_CURSOR_KEYSET ); //$results = sqlsrv_query( $link, $sql, $params, $options); $row = sqlsrv_fetch_array(sqlsrv_query( $link, $sql, $params, $options)); //$row_count = sqlsrv_num_rows( $results ); //echo $row['cnt'] ; if($row['cnt'] == 1){ //echo "logging in"; $logged_in = true; $_SESSION['provider_id'] = $provider_id; $_SESSION['password'] = $password; } else { $logged_in = false; //echo "not logging in"; } } if(!$logged_in){ header("Location: index.php"); } else { //Create Edit Form Here (Should verify if 'appointment_id' is associated with 'provider_id') if(isset($_POST['appointment_id'])){ $appointment_id = mssql_escape($_POST['appointment_id']); $provider_id = mssql_escape($_SESSION['provider_id']); $sql = " SELECT COUNT(*) as count FROM session_notes WHERE appointment_id = '$appointment_id' AND provider_id = '$provider_id' "; $results = sqlsrv_query( $link, $sql, $params, $options); $row_count = sqlsrv_num_rows( $results ); if($row_count == 1){ if(isset($_POST['edit'])){ $_SESSION['appointment_id'] = $appointment_id; //OUTPUT UPDATE FORM $sql = " SELECT provider_id, patient_id, CONVERT(VARCHAR(10),appointment,110) as appt, notes,notes2,notes3 FROM session_notes WHERE appointment_id = '$appointment_id' "; $row = sqlsrv_fetch_array(sqlsrv_query($link,$sql)); $tpl_vars = array(); $tpl_vars['{{title}}'] = "Session Notes Update Form"; $tpl_vars['{{appointment_id}}'] = $appointment_id; $tpl_vars['{{provider_id}}'] = $row['provider_id']; $tpl_vars['{{patient_id}}'] = $row['patient_id']; $tpl_vars['{{appointment}}'] = $row['appt']; $tpl_vars['{{notes}}'] = $row['notes']; $tpl_vars['{{notes2}}'] = $row['notes2']; $tpl_vars['{{notes3}}'] = $row['notes3']; //get template & load data $tpl = file_get_contents('tpl/update_form.html'); echo str_replace (array_keys ($tpl_vars),array_values($tpl_vars),$tpl); } elseif (isset($_POST['update'])){ $notes = mssql_escape($_POST['notes']); $notes2 = mssql_escape($_POST['notes2']); $notes3 = mssql_escape($_POST['notes3']); //$notes = $_POST['notes']; //$notes2 = $_POST['notes2']; //$notes3 = $_POST['notes3']; $tpl_vars = array(); $tpl_vars['{{title}}'] = "Session Notes Update Complete"; $sql1 = "UPDATE session_notes SET notes = '$notes', notes2 = '$notes2', notes3 = '$notes3' WHERE appointment_id = '$appointment_id'"; $sql2 = "INSERT INTO provider_submits (provider_sub) values( '$provider_id')"; $result1 = sqlsrv_query($link, $sql1); //$result2 = sqlsrv_query($link, $sql2); //include('C:\inetpub\wwwroot\notes\trigg.php'); if ( $result1 ) { // your staff } else if ( $result2 ) { // your staff } if(sqlsrv_query($link,$sql)){ $tpl_vars['{{message}}'] = "Note Edited Successfully"; $Name = "Session Notes Entry App"; //senders name $email = "email@adress.com"; //senders e-mail adress $recipient = "notes@nipinst.org"; //recipient $mail_body = "Appointment ID: $appointment_id\nProvider ID: $provider_id"; //mail body $subject = "Note For AppID[$appointment_id] Updated"; //subject $header = "From: ". $Name . " <" . $email . ">\r\n"; //optional headerfields mail($recipient, $subject, $mail_body, $header); //mail command //mail("wm@nipinst.org","Note For AppID[$appointment_id] Updated","Appointment ID: $appointment_id\nProvider ID: $provider_id"); } else { //$tpl_vars['{{message}}'] = "Error! Please contact administrator."; die('Error: ' . mssql_get_last_message()); } //get template & load data $tpl = file_get_contents('tpl/update_complete.html'); echo str_replace(array_keys($tpl_vars),array_values($tpl_vars),$tpl); } else { header("Location: index.php"); //echo "A<br>"; } } else { header("Location: index.php"); //echo "B<br>"; } } else { header("Location: index.php"); //echo "C<br>"; } } Thanks for your response thus far. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 5, 2013 Share Posted September 5, 2013 @wmeredith - When posting code, please surround it with tags. This places the code in a scrolling box and makes it easier to read. Quote Link to comment Share on other sites More sharing options...
wmeredith Posted September 5, 2013 Author Share Posted September 5, 2013 Ok sorry thanks for the tip. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted September 5, 2013 Share Posted September 5, 2013 I have no idea what you're doing with HEX, but in MSSQL I think you escape a ' with another '. So: $notes = str_replace("'", "''", $_POST['notes']); Quote Link to comment Share on other sites More sharing options...
wmeredith Posted September 7, 2013 Author Share Posted September 7, 2013 That worked just fine thanks!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.