thefreebielife Posted May 23, 2007 Share Posted May 23, 2007 ive never used this before but did i set this up right? <?php if($_POST['task']=="addmcr") { $sql ="Insert into mcredit (dateCompOffer, email, status, username, offername)values ('" . $_POST['dateOfferComp'] . "', '" . $_POST['email'] . "', 'Unread','". $_SESSION['username'] ."','" . $_POST['offername'] . "')"; mysql_real_escape_string($email), if(mysql_query($sql)){ echo "<center><FONT SIZE='2px' COLOR='#FF0000'><B>Manual Credit Request Submitted Successfully.</B></FONT></center>" ; }else{ echo mysql_error(); } } php?> obviously i didnt since its not working but whats wrong? from where this comes from: <FORM NAME="f" METHOD=POST ACTION="main.php"> <INPUT TYPE="hidden" name="task" value="addmcr"> <p> </p> <table width="450" border="0" align="center" class="table" style="border: 1px dashed red; padding: 4px 4px 4px 4px; "> <tr> <td colspan="2"><div align="center"><? if ($error == "firstname") { echo "<font color=red><center>Your First Name is Incorrect</center></font>"; } if ($error == "address") { echo "<font color=red><center>Your Address is Incorrect</center></font>"; } if ($error == "city") { echo "<font color=red><center>Your City is Incorrect</center></font>"; } if ($error == "state") { echo "<font color=red><center>Your State is Incorrect</center></font>"; } if ($error == "zip") { echo "<font color=red><center>Your Zip Code is Incorrect</center></font>"; } if ($error == "Email") { echo "<font color=red><center>Your Email is Incorrect</center></font>"; } if ($error == "doubleemail") {echo '<center><font color="#ff0000">This Email is already in use. <br>Please Try Again'; } ?></div></td> </tr> <tr> <td colspan="2" style="border-bottom:1px dashed red "><div align="left"><strong>Manual Credit Request </strong></div></td> </tr> <tr> <td width="400"> </td> <td width="320"> </td> </tr> <tr> <td align="right">Date <BR><FONT SIZE="1" COLOR=""><B>(YYYY-MM-DD)</B></FONT>: </td> <td><input name="dateOfferComp" type="text" size="50" value="" /></td> </tr> <tr> <td height="26" align="right">Offer Name : </td> <td><input name="offername" type="text" size="50" value=""/></td> </tr> <tr> <td height="26" align="right" valign=top>Full Email with Headers: </td> <td><TEXTAREA NAME="email" ROWS="10" COLS="38"></TEXTAREA></td> </tr> <tr> <td> </td> <td > <div align="left"> <input type="submit" name="Submit" value="Submit Manual Credit Request" class="button" /> </div></td> </tr> <tr> <td colspan="2"></td> </tr> </table> </form> Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted May 23, 2007 Share Posted May 23, 2007 Since you answered your own question, here is the correct way to use it: http://us.php.net/manual/en/function.mysql-real-escape-string.php#id5312299 Quote Link to comment Share on other sites More sharing options...
per1os Posted May 23, 2007 Share Posted May 23, 2007 Here is some code cooked up by people on the forum, I would actually use this in place of mysql_real_escape_string <?php function myEscape($string) { return get_magic_quotes_gpc()?addcslashes(stripslashes ($string), "\x00\n\are\\'\"\x1a" ):addcslashes($string, "\x00\n\are\\'\"\x1a" ); } if($_POST['task']=="addmcr") { $sql ="Insert into mcredit (dateCompOffer, email, status, username, offername)values ('" . myEscape($_POST['dateOfferComp']) . "', '" . myEscape($_POST['email']) . "', 'Unread','". $_SESSION['username'] ."','" . myEscape($_POST['offername']) . "')"; if(mysql_query($sql)){ echo "<center><FONT SIZE='2px' COLOR='#FF0000'><B>Manual Credit Request Submitted Successfully.</B></FONT></center>" ; }else{ echo mysql_error(); } } ?> That way you are sure it is not being double escaped and you do not need a DB connection to use it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.