Jump to content

Quotes and Apostrophes using

chaking

By chaking
in MySQL Help

 Share

Recommended Posts

chaking Member

chaking

Posted
Posted

This is not a problem with the mysql statement, as I always get the right info stored in the dB... But when I go to display it, well that's the problem.  And that can be a big problem because at times I call the column's value to put into a form's field so that the user can update the stored value.  The problem is that it looks like the value is cut off whenever you put an apostrophe, and so if the user doesn't refill the form's value, then the wrong value gets updated in the dB.

 

Here's what I'm doing:

// Check that an email address was submitted
if (empty($_POST['email'])) {
echo "You need to input the email address! That's the thing that tells the data apart!!!";
} else { 
$em2 = trim($_POST['email']);
}
$fn2 = trim($_POST['firstname']);
$ln2 = trim($_POST['lastname']);
$ti2 = trim($_POST['title']);
$op2 = trim($_POST['officephone']);
$cp2 = trim($_POST['cellphone']);
$hp2 = trim($_POST['homephone']);
$pa2 = trim($_POST['pager']);
if (get_magic_quotes_gpc( )) { //guard against SQL injection
$em2 = stripslashes($em2);
$fn2 = stripslashes($fn2);
$ln2 = stripslashes($ln2);
$ti2 = stripslashes($ti2);
$op2 = stripslashes($op2);
$cp2 = stripslashes($cp2);
$hp2 = stripslashes($hp2);
$pa2 = stripslashes($pa2);
}

// have to filter the same values through to escape the strings
$em2 = mysqli_real_escape_string($cxn,$em2);
$fn2 = mysqli_real_escape_string($cxn,$fn2);
$ln2 = mysqli_real_escape_string($cxn,$ln2);
$ti2 = mysqli_real_escape_string($cxn,$ti2);
$op2 = mysqli_real_escape_string($cxn,$op2);
$cp2 = mysqli_real_escape_string($cxn,$cp2);
$hp2 = mysqli_real_escape_string($cxn,$hp2);
$pa2 = mysqli_real_escape_string($cxn,$pa2);

 

Then I throw the values in a form:

echo "<h3>Please Update the information needed here:</h3>";
echo "<form action='update2.php' method='post'>";
echo "First name: <input type='text' name='firstname2' value='$fn2' />";
echo "Last name: <input type='text' name='lastname2' value='$ln2' /><br><br>";
echo "Login/Email: <input type='text' name='email2' value='$em2' /> <br><br>";
echo "Title: <input type='text' name='title2' value='$ti2' /><br><br>";
echo "Office Phone: <input type='text' name='officephone2' value='$op2' /><br><br>";
echo "Cell Phone: <input type='text' name='cellphone2' value='$cp2' /><br><br>";
echo "Home Phone: <input type='text' name='homephone2' value='$hp2' /><br><br>";
echo "Pager: <input type='text' name='pager2' value='$pa2' /><br><br>";
echo "<input type='submit' name='UPDATE HERE' />";
echo "</form>";

 

 

So two questions -

1) How do I prevent the value in the dB from killing the line (properly escape it)

2) Am I going through magic quotes and mysqli_real_escape in the most efficient way?

 

Thanks for your time

 

EDIT:

 

Split post into own topic. Don't post your problem in someone's (old) thread.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.