Special Characters

[Fearpig]

.

_

!

@

#

$

'

and space character

 

Hi Guys... nice easy one for you (I hope!).

I've got a nice form set up and it's all working fine unless someone enters a special character into the field and then presses submit. Anyway my question is what do you use to prevent special characters in a string interferring with your code? (I know there is a way to do it but don't know what its called which makes searching for it a bit of a pain)? Any help would be appreciated.

[kenrbnsn]

What do mean be "interfering"? Please post the relevant pieces of your script that this type of input is breaking.

 

Ken

[Fearpig]

<?php
$Event_Title = $_POST['Event_Title'];


$sql_Insert="INSERT INTO tbl_Visit (Event_Title) VALUES ('$Event_Title')";
$Insert_Details=odbc_exec($conn,$sql_Insert);
if (!$Insert_Details)
{exit("Error in SQL");}


?>

 

I've cut this right down from what I'm using but I think this is where the error is. For example if I enter "Toms Trip" as the event title everything goes through fine, however if I enter "Tom's Trip" I get the following error:

 

Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver]

Incorrect syntax near 's'., SQL state 37000 in SQLExecDirect in D:\Intranet_v3\Process_Request.php on line 184

Error in SQL

[redbullmarky]

you need to escape the data first.

 

if you know what data you're expecting, then you can use preg_replace() or similar to remove unwanted characters altogether, or you can escape them before putting them in the DB (or both, but DEFINITELY the latter, considering the ' can be both harmful AND legitimate so you dont wanna just get rid of it):

 

<?php
$Event_Title = mysql_real_escape_string($_POST['Event_Title']);

... etc ...
?>

 

see mysql_real_escape_string() for more info

[jitesh]

Javascript

function isValidkeyword(Keyword){

      // Valid Charactes and ASCII values (a..z(97..122),A..Z(65..90),0..9(48..57),Space(32),&(38),'(39),.(46))

      var str = Keyword;

      var valid_values_arr = new Array();

  valid_values_arr.push(13,10);

      valid_values_arr.push(65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90);

      valid_values_arr.push(97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122);

      valid_values_arr.push(48,49,50,51,52,53,54,55,56,57);

      valid_values_arr.push(32,38,39,46);

      for(i=0;i<str.length;i++){

        var ch = str.charCodeAt(i);

        //Check values exist in Array

        if(checkvalue(ch,valid_values_arr) == false){

          return false;

          }

      }

      return true;

  }

  function checkvalue(ch,valid_values_arr){

    for(j=0;j<valid_values_arr.length;j++){

        if(ch == valid_values_arr[j]){

              return true;

        }

             

    }

    return false;

  }

 

 

PHP

 

function isValidkeyword($Keyword){

$valida_char = array(13,10,

65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,

97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,

48,49,50,51,52,53,54,55,56,57,

32,38,39,46);

    for($i=0;$i<strlen($Keyword);$i++){

$ch = ord(substr($Keyword,$i,1));

if(!in_array($ch,$valida_char)){

return false;

}

}

return true;

  }

[redbullmarky]

danger being that javascript can be turned off. personally i prefer server side validation as it's just more thorough.

 

if you want to strip out chars you dont want, then you can do it in one swipe:

 

<?php
// clean out unwanted chars - optional.
// this removes everything bar letters, numbers, space and apostrophe
$Event_Title = preg_replace("/[^A-Z0-9\ \']/i", "", $_POST['Event_Title']);

// escape the data anyway - not really optional!
$Event_Title = mysql_real_escape_string($Event_Title);
?>

[Fearpig]

Hi Redbullmarky,

I agree with what you say... and I would rather keep the special characters than remove them so the escape option seems best. Is there an SQL version of this or could I still use the mysql version (the data is on an SQL2005 server)?

[redbullmarky]

good question - doing a bit of digging, mssql uses a different method for escaping strings. looking through one of the DB libs i've got, and also in php manual notes for addslashes, it seems you just need to double up your quotes. i adapted an example function on php.net with some extra code from CakePHP:

 

<?php
function mssql_addslashes($data)
{
   $data = str_replace("'", "''", $data);

   if (get_magic_quotes_gpc())
   {
      $data = stripslashes($data);
   }

   return $data;
} 
?>

 

give it a blast and see how it does

 

edit: whoops ignore that, i'm not reading the post properly that you're on ODBC...

edit 2: actually, give it a blast anyway - reading the notes on odbc_exec, it seems that one solution IS to double up your apostrophes. have a look at the user contributed notes: odbc_exec

[Fearpig]

Right you've given me loads to read through there!

I've had a quick go but got the same error but I'm sure I'll be able to sort it out from the links you sent.

Cheers Redbullmarky