sennetta Posted July 7, 2007 Share Posted July 7, 2007 Hello new here Can someone direct me to a page saying what the rules are for the backslashes being added by PHP? I read somewhere that they're automatically done for $_POST and $_GET, but I have the following: <?php //get timestamp $timestamp = time(); //get form data $headline = $_POST['headline']; $newsText = $_POST['newsText']; //set query $query = "INSERT INTO news VALUES('','$timestamp','$headline','$newsText')"; //connect to mysql include("../functions/lgcreds.php"); mysql_connect($host,$username,$password); //select db @mysql_select_db($database) or die("Unable to select database"); //query mysql_query($query); //close mysql_close(); echo "$query"; ?> and the MySQL query keeps failing because I've written an apostrophe. Took me ages to work out what it was . If it isn't going to be consistent is there any way of stripping the functionality so I can code my own str_replace to deal with it? I seriously almost posted a giant post at the MySQL section with all my code before it clicked... I'm new at all this.. Cheers, Anthony Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 7, 2007 Share Posted July 7, 2007 Change these lines: <?php //get form data $headline = $_POST['headline']; $newsText = $_POST['newsText']; ?> To: <?php //get form data $headline = mysql_real_escape_string($_POST['headline']); $newsText = mysql_real_escape_string($_POST['newsText']); ?> The mysql_real_escape_string() function will escape any characters needed to be escaped, and protect them from sql injections. www.php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
sennetta Posted July 7, 2007 Author Share Posted July 7, 2007 Cheers. Hmm lots of errors. I take it I have to log in to the server first? EDIT: Yes I did. Many thanks. Quote Link to comment Share on other sites More sharing options...
sennetta Posted July 9, 2007 Author Share Posted July 9, 2007 Ok that worked fine on the local test server, but when I put it online it's started escaping the single and double quotes too much, and the backslashes are starting to appear in the html output (just one before each " and '). The local version I'm running is PHP 4.3.10 and the online version is PHP 4.4.7 This is a sample of the code used to update things: <?php //get timestamp $timestamp = time(); //hidden data $catagory = $_POST['catagory']; $aboutId = $_POST['id']; $URL = $_POST['url']; //connect to mysql include("../functions/lgcreds.php"); mysql_connect($host,$username,$password); //select db @mysql_select_db($database) or die("Unable to select database"); //get form data $name = $_POST['name']; $commentText = $_POST['commentText']; //parse comment $name = parseText($name,false,true); $commentText = parseText($commentText,true,true); $name = mysql_real_escape_string($name); $commentText = mysql_real_escape_string($commentText); //check input $check = ((count($name)>0 && count($commentText)>0) ? true : false); //set query $query = "INSERT INTO comments VALUES('','$timestamp','$catagory','$aboutId','$name','$commentText')"; //query db if ($check) mysql_query($query); //close mysql_close(); echo "<META HTTP-EQUIV=Refresh CONTENT=\"0; URL=$URL\">"; function parseText($this,$paraWrap = false,$html=false) { //convert html if ($html) { $this = str_replace("&","&",$this); $this = str_replace("<","<",$this); $this = str_replace(">",">",$this); $this = str_replace("\"",""",$this); $this = str_replace("£","£",$this); $this = str_replace("é","é",$this); } //loose mulitple newlines $this = preg_replace('/(\r\n){2,}/',"\r\n",$this); //insert paragraph html if ($paraWrap) $this = "<p>".$this."</p>"; //convert double newlines if ($paraWrap) $this = str_replace("\r\n","</p><p>",$this); return $this; } ?> and the output might look like this: \"This program won\'t work\" she said. I think PHP is escaping at $_POST and then again at mysql_real_escape_string(). How can I sort this? Cheers, Anthony Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 9, 2007 Share Posted July 9, 2007 When you are wanting to display it, just use stripslashes() on it. Quote Link to comment Share on other sites More sharing options...
per1os Posted July 9, 2007 Share Posted July 9, 2007 www.php.net/gpc_get_magic_quotes Check, if that is true stripslashes then escape. If it is not true just escape. Quote Link to comment Share on other sites More sharing options...
sennetta Posted July 9, 2007 Author Share Posted July 9, 2007 Thanks sorted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.