Jump to content

take out double quotes

anarchoi

By anarchoi
in PHP Coding Help

 Share

Recommended Posts

anarchoi Member

anarchoi

Posted
Posted

well i have a php code that adds infos into database from a form...

 

the problem is that it won't work if there are double quotes ( " " " " " ) in the infos sent from the form

 

what is the easiest to take em out?

 

here is my code:

 

<?

if($_POST['submit']) //If submit is hit

{

  //then connect as user

  //change user and password to your mySQL name and password

  mysql_connect("localhost","anarchoi1","******");

 

  //select which database you want to edit

  mysql_select_db("anarchoi1_phpb1");

 

  //convert all the posts to variables:

  $title = $_POST['title'];

  $infos = $_POST['infos'];

  $localisation = $_POST['localisation'];

  $date = $_POST['date'];

  $time = $_POST['time'];

  $web = $_POST['web'];

 

  $actif = $_POST['actif'];

  $strSQL = "SELECT * FROM  news2 WHERE title='".$title."'";     

    $rs=mysql_query($strSQL); //execute the query

  if(mysql_num_rows($rs)==1)

  {

  $as = rand(0,9);

  echo "<b>Ce groupe est déja répertorié.</b>";

  }

  else

  {

  $result=MYSQL_QUERY("INSERT INTO news2 (id,title,infos,localisation,date,time,actif,web)".

      "VALUES ('NULL', '$title', '$infos', '$localisation', '$date', '$time', '$actif', '$web')");

 

    //confirm

  echo "<b>Groupe Ajouté.</b><br>Note: le groupe s'affichera dans la liste seulement après validation par un modérateur (-24h). Par contre, vous pouvez publier dès maintenant des concerts pour ce groupe.<br>";

  }

 

 

  //Insert the values into the correct database with the right fields

  //mysql table = news2

  //table columns = id, title, infos, localisation, date, time

  //post variables = $title, $infos, '$localisation, $date, $time

 

}

?>

 

 

also, is there anything other than double quotes that can screw up my script, like that?

Link to comment
https://forums.phpfreaks.com/topic/98466-take-out-double-quotes/
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

You should never trust user input, you should always validate user input and make it safe for use in a query. Because your are not escaping quotes, any double quotes in the user input will break your query. Change the following codes:

   $title = $_POST['title'];
   $infos = $_POST['infos'];
   $localisation = $_POST['localisation'];
   $date = $_POST['date'];
   $time = $_POST['time'];
   $web = $_POST['web'];

to:

   $title = mysql_real_escape_string($_POST['title']);
   $infos = mysql_real_escape_string($_POST['infos']);
   $localisation = mysql_real_escape_string($_POST['localisation']);
   $date = mysql_real_escape_string($_POST['date']);
   $time = mysql_real_escape_string($_POST['time']);
   $web = mysql_real_escape_string($_POST['web']);

mysql_real_escape_string will help to prevent SQL Injection attacks, as it escapes dangerous characters from user input that is not safe for use in a query.

wildteen88 Regular Member

wildteen88

Posted
Posted

use nl2br

 

Only use nl2br when you go to display the content from the database. i

 

t is not a good idea to apply nl2br when content goes into the database, as you may find the newlines will duplicate each time you edited the text.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.