take out double quotes

anarchoi · March 29, 2008

well i have a php code that adds infos into database from a form...

the problem is that it won't work if there are double quotes ( " " " " " ) in the infos sent from the form

what is the easiest to take em out?

here is my code:

<?
if($_POST['submit']) //If submit is hit

{

//then connect as user

//change user and password to your mySQL name and password

mysql_connect("localhost","anarchoi1","******");

//select which database you want to edit

mysql_select_db("anarchoi1_phpb1");

//convert all the posts to variables:

$title = $_POST['title'];

$infos = $_POST['infos'];

$localisation = $_POST['localisation'];

$date = $_POST['date'];

$time = $_POST['time'];

$web = $_POST['web'];

$actif = $_POST['actif'];

$strSQL = "SELECT * FROM news2 WHERE title='".$title."'";

$rs=mysql_query($strSQL); //execute the query

if(mysql_num_rows($rs)==1)

{

$as = rand(0,9);

echo "Ce groupe est déja répertorié.";

}

else

{

$result=MYSQL_QUERY("INSERT INTO news2 (id,title,infos,localisation,date,time,actif,web)".

"VALUES ('NULL', '$title', '$infos', '$localisation', '$date', '$time', '$actif', '$web')");

//confirm

echo "Groupe Ajouté. Note: le groupe s'affichera dans la liste seulement après validation par un modérateur (-24h). Par contre, vous pouvez publier dès maintenant des concerts pour ce groupe. ";

}

//Insert the values into the correct database with the right fields

//mysql table = news2

//table columns = id, title, infos, localisation, date, time

//post variables = $title, $infos, '$localisation, $date, $time

}

?>

also, is there anything other than double quotes that can screw up my script, like that?

wildteen88 · March 29, 2008

You should never trust user input, you should always validate user input and make it safe for use in a query. Because your are not escaping quotes, any double quotes in the user input will break your query. Change the following codes:

   $title = $_POST['title'];
   $infos = $_POST['infos'];
   $localisation = $_POST['localisation'];
   $date = $_POST['date'];
   $time = $_POST['time'];
   $web = $_POST['web'];

to:

   $title = mysql_real_escape_string($_POST['title']);
   $infos = mysql_real_escape_string($_POST['infos']);
   $localisation = mysql_real_escape_string($_POST['localisation']);
   $date = mysql_real_escape_string($_POST['date']);
   $time = mysql_real_escape_string($_POST['time']);
   $web = mysql_real_escape_string($_POST['web']);

mysql_real_escape_string will help to prevent SQL Injection attacks, as it escapes dangerous characters from user input that is not safe for use in a query.

anarchoi · March 29, 2008

awesome, it worked!

thanks a lot, i learned a lot from this topic

i guess i'll use this code in all of my scripts that adds things into the database

wildteen88 · March 29, 2008

You should start to read up on SQL Injection - parts One, Two and Three.

anarchoi · March 29, 2008

Hmm i just noticed page breaks are not displayed anymore with this function

is there any fast way to convert the page breaks to 's in that code?

wildteen88 · March 29, 2008

use nl2br

Only use nl2br when you go to display the content from the database. i

t is not a good idea to apply nl2br when content goes into the database, as you may find the newlines will duplicate each time you edited the text.

Sign In

take out double quotes

Recommended Posts

anarchoi

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

anarchoi

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

anarchoi

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information