SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2006
    Posts
    412
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Form to DB - Back to basics

    I don't know what im doing wrong here..
    Very simple form is adding slashes to special characters in the db i.e. that\'s entertainment

    PHP Code:
    <?
    if(isset($_POST['upload']))
    {
            include 
    'dbconnection.php';
    $ttitle mysql_real_escape_string($_POST['ttitle']); 
    $ttitle2 mysql_real_escape_string($_POST['ttitle2']); 




        
    $query "INSERT INTO test ( ttitle, ttitle2) "
                 
    "VALUES ('$ttitle', '$ttitle2' )";
                 
                


        
    mysql_query($query) or die('Error, query failed : ' mysql_error());                    


        
        echo 
    "<br>File uploaded<br>";
    }        
    ?>
    PHP.ini file: (ver 5.2.17)
    magic_quotes_gpc Off Off
    magic_quotes_runtime Off Off
    magic_quotes_sybase Off Off

    ..any ideas

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,192
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The mysql_real_escape_string function is the reason why, when inserting data into a database you should always escape anything that can disrupt the MySQL query including single quotes which would break you query because your wrapping the row value in single quotes.


    Sent from my iPhone using Tapatalk

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2006
    Posts
    412
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sorry, im a bit tired and things just go straight over my head... what should have i done?
    Thanks in advance

  4. #4
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,192
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Sorry it's hard to explain things when I'm on my iPhone, basically if you look at the following example you will see the issue straight away when using single quotes to wrap your data.

    Code:
    $query = "INSERT INTO test (name, bio) VALUES ('Chris', 'I'm Chris and I'm a 20 year old web developer from Melbourne Australia')";
    As you can see I've highlighted the problems in red which are un-escaped quotes which would cause a MySQL error, however when using the mysql_real_escape_string() function this is avoided because it knows to automatically escape anything that we don't. When retrieving data from your database you can simply use the stripslashes() function would removes the backslash from the single quotes etc...

  5. #5
    SitePoint Evangelist
    Join Date
    Mar 2006
    Posts
    412
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers, but im still a little confused

    Ive had a look at some of my old database tables and, although ive used mysql_real_escape_string, there aren't any \' in the tables.... similary, ive looked around, and isnt it true that its just escapes the string thats being inserted...and shouldnt actually be entered into the database?

    Sorry, i didnt want this to be along thread...i just want to clarify before i run stripslashes() on data pulled from the database

    B


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •