Jump to content

Recommended Posts

Hi Guy's I have an issue when posting text that has a single quote " ' ". The data just won't load.

 

 

//get template & load data

 

 

$tpl = file_get_contents('tpl/update_form.html');
echo str_replace(array_keys($tpl_vars),array_values($tpl_vars),$tpl);
} elseif(isset($_POST['update'])){
$notes = mssql_escape($_POST['notes']);
$notes2 = mssql_escape($_POST['notes2']);
$notes3 = mssql_escape($_POST['notes3']);
$notes = $_POST['notes'];
$notes2 = $_POST['notes2'];
$notes3 = $_POST['notes3'];
$tpl_vars = array();
$tpl_vars['{{title}}'] = "Session Notes Update Complete";
 
$sql1 = "UPDATE session_notes
          SET notes     = '$notes',
            notes2     = '$notes2',
            notes3     = '$notes3'
WHERE appointment_id = '$appointment_id'";
 
If any text contains an '  Single quote it won't updat the data in the table. 
Link to comment
https://forums.phpfreaks.com/topic/281872-escape-special-character-single-quote/
Share on other sites

try using

htmlspecialchars($_POST['key'], ENT_QUOTES);

this should encode all the double and single quotes to html characters.

 

Alternately, you can use str_replace function if you want to remove single quotes all the way from your strings

str_replace("'", '', $_POST['key']);

The quotes are cause errors in your query because you are not escaping your variables, or to be more precise, you are escaping them but then you over-write them with the original un-escaped values:

 

//You escape them here like you should
$notes = mssql_escape($_POST['notes']);
$notes2 = mssql_escape($_POST['notes2']);
$notes3 = mssql_escape($_POST['notes3']);

//But then you replace them with the unescaped values.
$notes = $_POST['notes'];
$notes2 = $_POST['notes2'];
$notes3 = $_POST['notes3'];
Remove those last three lines.

That seemed to work but removing the last three lines returnes Hex values.

Not sure if the Unpack Hex is in the wrong area when removing the 3 lines you requested.

 

Hers is the whole file;

 

 

<?php
session_start();
include('C:\inetpub\wwwroot\connect.php');
 
// echo "<pre>";
// print_r($_SESSION);
// echo "</pre>";
function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}
 
$provider_id = $_SESSION['provider_id'];
$password = $_SESSION['password'];
 
 
 
if(isset($_SESSION['provider_id'])) {
$provider_id = $_SESSION['provider_id'];
$password = $_SESSION['password'];
 
$sql = "
SELECT
COUNT(1) as cnt
FROM providers
WHERE provider_id = '$provider_id'
AND password = '$password'
";
 
$params = array();
$options =  array( "Scrollable" => SQLSRV_CURSOR_KEYSET );
//$results = sqlsrv_query( $link, $sql, $params, $options);
$row = sqlsrv_fetch_array(sqlsrv_query( $link, $sql, $params, $options));
//$row_count = sqlsrv_num_rows( $results );
//echo $row['cnt'] ;
if($row['cnt'] == 1){
//echo "logging in";
$logged_in = true;
$_SESSION['provider_id'] = $provider_id;
$_SESSION['password'] = $password;
} else {
$logged_in = false;
//echo "not logging in";
}
}
 
if(!$logged_in){
 
header("Location: index.php");
} else {
//Create Edit Form Here (Should verify if 'appointment_id' is associated with 'provider_id')
if(isset($_POST['appointment_id'])){
$appointment_id = mssql_escape($_POST['appointment_id']);
$provider_id = mssql_escape($_SESSION['provider_id']);
 
$sql = "
SELECT
COUNT(*) as count
FROM session_notes
WHERE appointment_id = '$appointment_id'
AND provider_id = '$provider_id'
";
 
$results = sqlsrv_query( $link, $sql, $params, $options);
$row_count = sqlsrv_num_rows( $results );
 
if($row_count == 1){
if(isset($_POST['edit'])){
$_SESSION['appointment_id'] = $appointment_id;
//OUTPUT UPDATE FORM
$sql = "
SELECT
provider_id,
patient_id,
CONVERT(VARCHAR(10),appointment,110) as appt,
notes,notes2,notes3
FROM session_notes
WHERE appointment_id = '$appointment_id'
";
 
$row = sqlsrv_fetch_array(sqlsrv_query($link,$sql));
 
$tpl_vars = array();
$tpl_vars['{{title}}'] = "Session Notes Update Form";
$tpl_vars['{{appointment_id}}'] = $appointment_id;
$tpl_vars['{{provider_id}}'] = $row['provider_id'];
$tpl_vars['{{patient_id}}'] = $row['patient_id'];
$tpl_vars['{{appointment}}'] = $row['appt'];
$tpl_vars['{{notes}}'] = $row['notes'];
$tpl_vars['{{notes2}}'] = $row['notes2'];
$tpl_vars['{{notes3}}'] = $row['notes3'];
 
//get template & load data
$tpl = file_get_contents('tpl/update_form.html');
echo str_replace (array_keys ($tpl_vars),array_values($tpl_vars),$tpl);
} elseif
 
(isset($_POST['update'])){
$notes = mssql_escape($_POST['notes']);
$notes2 = mssql_escape($_POST['notes2']);
$notes3 = mssql_escape($_POST['notes3']);
//$notes = $_POST['notes'];
//$notes2 = $_POST['notes2'];
//$notes3 = $_POST['notes3'];
$tpl_vars = array();
$tpl_vars['{{title}}'] = "Session Notes Update Complete";
 
$sql1 = "UPDATE session_notes
          SET notes     = '$notes',
            notes2     = '$notes2',
            notes3     = '$notes3'
WHERE appointment_id = '$appointment_id'";
 
$sql2 = "INSERT INTO provider_submits
          (provider_sub) values( '$provider_id')";
 
$result1 = sqlsrv_query($link, $sql1);
//$result2 = sqlsrv_query($link, $sql2); 
//include('C:\inetpub\wwwroot\notes\trigg.php');
if ( $result1 ) {
 
   // your staff
 
} else if ( $result2 ) {
 
   // your staff
 
}
 
if(sqlsrv_query($link,$sql)){
$tpl_vars['{{message}}'] = "Note Edited Successfully";
$Name = "Session Notes Entry App"; //senders name 
$email = "email@adress.com"; //senders e-mail adress 
$recipient = "notes@nipinst.org"; //recipient 
$mail_body = "Appointment ID: $appointment_id\nProvider ID: $provider_id"; //mail body 
$subject = "Note For AppID[$appointment_id] Updated"; //subject 
$header = "From: ". $Name . " <" . $email . ">\r\n"; //optional headerfields 
 
mail($recipient, $subject, $mail_body, $header); //mail command :) 
//mail("wm@nipinst.org","Note For AppID[$appointment_id] Updated","Appointment ID: $appointment_id\nProvider ID: $provider_id");
} else {
//$tpl_vars['{{message}}'] = "Error! Please contact administrator.";
die('Error: ' . mssql_get_last_message()); 
}
 
//get template & load data
$tpl = file_get_contents('tpl/update_complete.html');
echo str_replace(array_keys($tpl_vars),array_values($tpl_vars),$tpl);
} else {
header("Location: index.php");
//echo "A<br>";
}
} else {
header("Location: index.php");
//echo "B<br>";
}
} else {
header("Location: index.php");
//echo "C<br>";
}
}
 
 
Thanks for your response thus far.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.