monika Posted July 20, 2007 Share Posted July 20, 2007 The below is the announcement php code.. this code fails to handle diffrent character like ['] when ever i type monika's and click send button to dump in mysql it does not do. It does not recoz other simillar charcter too.. Could any one pls help me for this... ---------- <?php include ("config.php"); ?> <?php if((isset($act)) && ($act=="action")){ $dates=date("Y-m-d"); echo "<div class=text>Data successfully updated on ". $dates. "<br> please wait while your browser redirects you to the main admin page.....</div>"; $sql=mysql_query("update announcement set date='$dates', title='$announce1', text='$detail1', title1='$announce2', text1='$detail2', title2='$announce3', text2='$detail3'"); ?> <script language="javascript"> setTimeout('test()',2000); function test(){ window.location.href="../index.php" } </script> <?php }else{ echo 'You are not allowed here'; ?> <script language="javascript"> setTimeout('test()',1500); function test(){ window.location.href="index.php" } </script> <?php } ?> Quote Link to comment Share on other sites More sharing options...
benjaminbeazy Posted July 20, 2007 Share Posted July 20, 2007 http://us.php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 well every use does not have php knowledge so they will just type and send.. if they type 's or some unhandle keyword then their announce will not get display... so what to do i need to add some magic code in that code..so tell me what to add or edit... pls Quote Link to comment Share on other sites More sharing options...
benjaminbeazy Posted July 20, 2007 Share Posted July 20, 2007 use addslashes on all input before processing query Quote Link to comment Share on other sites More sharing options...
TheFilmGod Posted July 20, 2007 Share Posted July 20, 2007 turn magic quotes on in the php.ini file. Its good for security and for your script! Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 didn't got u.. here's the form code.. <input type="text" name="announce1" value="<?php echo $data->title; ?>" /></td> <tr> <td><textarea name="detail1" rows="3"><?php echo $data->text; ?></textarea></td> Quote Link to comment Share on other sites More sharing options...
TheFilmGod Posted July 20, 2007 Share Posted July 20, 2007 addslashes() after query and in the form you just gave me do stripslashes(). Is like you first allow it into mysql that is somewhat encoded and then you decode it again for use! Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 well ya first into mysql and then it decoe to browser.. Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON if(get_magic_quotes_gpc()) { $detail1 = stripslashes($_POST['text']); $announce2 = stripslashes($_POST['title1']); } else { $detail1 = $_POST['text']; $announce2 = $_POST['title1']; } if(get_magic_quotes_gpc()) { $detail2 = stripslashes($_POST['text1']); $announce3 = stripslashes($_POST['title2']); } else { $detail2 = $_POST['text1']; $announce3 = $_POST['title12']; } if(get_magic_quotes_gpc()) { $detail3 = stripslashes($_POST['text2']); $announce4 = stripslashes($_POST['title3']); } else { $detail3 = $_POST['text2']; $announce4 = $_POST['title3']; } // is that ok.. i dont knw.. Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 well help me fren.. i'm totally confused... how to trick that magic quotes... Quote Link to comment Share on other sites More sharing options...
per1os Posted July 20, 2007 Share Posted July 20, 2007 Don't use the magic quotes, they do no good. Especially since they are being depreciated. <?php if((isset($act)) && ($act=="action")){ $dates=date("Y-m-d"); echo "<div class=text>Data successfully updated on ". $dates. "<br> please wait while your browser redirects you to the main admin page.....</div>"; $sql=mysql_query("update announcement set date='$dates', title='" . mysql_real_escape_string($announce1) . "', text='" . mysql_real_escape_string($detail1) . "', title1='" . mysql_real_escape_string($announce2) . "', text1='" . mysql_real_escape_string($detail2) . "', title2='" . mysql_real_escape_string($announce3) . "', text2='" . mysql_real_escape_string($detail3) . "'"); ?> <script language="javascript"> setTimeout('test()',2000); function test(){ window.location.href="../index.php" } </script> <?php }else{ echo 'You are not allowed here'; ?> <script language="javascript"> setTimeout('test()',1500); function test(){ window.location.href="index.php" } </script> <?php } ?> That should solve your problem. The first post referenced the right function. www.php.net/mysql_real_escape_string I suggest you read up on it. Quote Link to comment Share on other sites More sharing options...
monika Posted July 20, 2007 Author Share Posted July 20, 2007 yapee ur write... "'. mysql_real_escape_string($_variable_) ."' this slove the problemm.. ya magic quotes yekh :-X Thanx once again... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.