Jump to content

take out double quotes


anarchoi

Recommended Posts

well i have a php code that adds infos into database from a form...

 

the problem is that it won't work if there are double quotes ( " " " " " ) in the infos sent from the form

 

what is the easiest to take em out?

 

here is my code:

 

<?

if($_POST['submit']) //If submit is hit

{

  //then connect as user

  //change user and password to your mySQL name and password

  mysql_connect("localhost","anarchoi1","******");

 

  //select which database you want to edit

  mysql_select_db("anarchoi1_phpb1");

 

  //convert all the posts to variables:

  $title = $_POST['title'];

  $infos = $_POST['infos'];

  $localisation = $_POST['localisation'];

  $date = $_POST['date'];

  $time = $_POST['time'];

  $web = $_POST['web'];

 

  $actif = $_POST['actif'];

  $strSQL = "SELECT * FROM  news2 WHERE title='".$title."'";     

    $rs=mysql_query($strSQL); //execute the query

  if(mysql_num_rows($rs)==1)

  {

  $as = rand(0,9);

  echo "<b>Ce groupe est déja répertorié.</b>";

  }

  else

  {

  $result=MYSQL_QUERY("INSERT INTO news2 (id,title,infos,localisation,date,time,actif,web)".

      "VALUES ('NULL', '$title', '$infos', '$localisation', '$date', '$time', '$actif', '$web')");

 

    //confirm

  echo "<b>Groupe Ajouté.</b><br>Note: le groupe s'affichera dans la liste seulement après validation par un modérateur (-24h). Par contre, vous pouvez publier dès maintenant des concerts pour ce groupe.<br>";

  }

 

 

  //Insert the values into the correct database with the right fields

  //mysql table = news2

  //table columns = id, title, infos, localisation, date, time

  //post variables = $title, $infos, '$localisation, $date, $time

 

}

?>

 

 

also, is there anything other than double quotes that can screw up my script, like that?

Link to comment
https://forums.phpfreaks.com/topic/98466-take-out-double-quotes/
Share on other sites

You should never trust user input, you should always validate user input and make it safe for use in a query. Because your are not escaping quotes, any double quotes in the user input will break your query. Change the following codes:

   $title = $_POST['title'];
   $infos = $_POST['infos'];
   $localisation = $_POST['localisation'];
   $date = $_POST['date'];
   $time = $_POST['time'];
   $web = $_POST['web'];

to:

   $title = mysql_real_escape_string($_POST['title']);
   $infos = mysql_real_escape_string($_POST['infos']);
   $localisation = mysql_real_escape_string($_POST['localisation']);
   $date = mysql_real_escape_string($_POST['date']);
   $time = mysql_real_escape_string($_POST['time']);
   $web = mysql_real_escape_string($_POST['web']);

mysql_real_escape_string will help to prevent SQL Injection attacks, as it escapes dangerous characters from user input that is not safe for use in a query.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.