SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Dec 2007
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP str_replace not working?

    Hi Everyone,

    I have a form on my website that allows a person to insert information. I'm trying to prevent from a mysql attack so I decided to try and fix that by not allowing apostrophe's into my mysql database. I'm using the str_replace function.

    When visitor enters information this is the path the variable takes before entering into my database but for some reason apostrophe's are being accepted into my database and I don't know why. Any help would be appreciated.

    PHP Code:
    $dealership $_POST['dealership'];
    $dealership mysql_real_escape_string($dealership);
    $dealership stripslashes($dealership);
    $dealership capitalize($dealership); (my own function)
    $dealership trim($dealership);
    $dealership eregi_replace(","""$dealership);
    $dealership str_replace("'"""$dealership); 
    What am I doing wrong here?
    Thanks everyone.

  2. #2
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,014
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    You really need to be moving away from the use of the mysql_* extension and start using either the msqli_* extension or PDO. Both the msqli_* extension and PDO have prepared statements which are a far better and safer way of guarding against SQL injection.

    You should still sanitize the incoming data: is it within the range of values expected, is a string withing a range of lengths expected, is it of the type expected, etc
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  3. #3
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,268
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    The code snippet you posted actually works fine. Your real issue must be elsewhere in all the code you haven't shown us.

    As an aside, it's awfully odd to add slashes with mysql_real_escape_string, then strip them off in the very next line.
    "First make it work. Then make it better."

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello,

    I agree with @ Jeff Mott. Please check whether there is any other insert statement in your code.
    PHP Programming Itís more than just writing code

  5. #5
    SitePoint Enthusiast
    Join Date
    Dec 2007
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You really need to be moving away from the use of the mysql_* extension and start using either the msqli_* extension or PDO. Both the msqli_* extension and PDO have prepared statements which are a far better and safer way of guarding against SQL injection.

    You should still sanitize the incoming data: is it within the range of values expected, is a string withing a range of lengths expected, is it of the type expected, etc
    Hi Everyone,

    Thanks for your replies. I appreciate them.

    Thanks SpacePhoenix for the tip. Quick question tough, if I update this page with the msqli_* extension, will I have to update every-single-page in my website with that same extension?

    The code snippet you posted actually works fine. Your real issue must be elsewhere in all the code you haven't shown us.

    As an aside, it's awfully odd to add slashes with mysql_real_escape_string, then strip them off in the very next line.

    I agree with @ Jeff Mott. Please check whether there is any other insert statement in your code.
    Hey Guys,

    Below is my syntax. This is the syntax behind the page. Not quite sure what I'm doing wrong here. What do you guys think?

    PHP Code:
    if (isset ( $_POST['dealership'] ) ){
            
       $dealership = $_POST['dealership'];
       $address = $_POST['address'];
       $state = $_POST['state'];
       $city = $_POST['city'];
       $zip = $_POST['zip'];
       $phone = $_POST['phone'];
       $website = $_POST['website'];
       $email = $_POST['email'];
       $name = $_POST['name'];
       
       $facebook = $_POST['facebook'];
       $twitter = $_POST['twitter'];
       $youtube = $_POST['youtube'];
       $google_plus = $_POST['google_plus'];
       $yelp = $_POST['yelp']; 
       $bbb = $_POST['bbb']; 
       $pinterest = $_POST['pinterest']; 
       
       $dealership = mysql_real_escape_string($dealership);
       $address = mysql_real_escape_string($address);
       $state = mysql_real_escape_string($state);
       $city = mysql_real_escape_string($city);
       $zip = mysql_real_escape_string($zip);  
       $phone = mysql_real_escape_string($phone);
       $website = mysql_real_escape_string($website);
       $email = mysql_real_escape_string($email);
       $name = mysql_real_escape_string($name);
       
       $facebook = mysql_real_escape_string($facebook);
       $twitter = mysql_real_escape_string($twitter);
       $youtube = mysql_real_escape_string($youtube);
       $google_plus = mysql_real_escape_string($google_plus);
       $yelp = mysql_real_escape_string($yelp); 
       $bbb = mysql_real_escape_string($bbb); 
       $pinterest = mysql_real_escape_string($pinterest); 
       
       $dealership = stripslashes($dealership);
       $state = stripslashes($state);
       $city = stripslashes($city);
       
       $dealership = capitalize($dealership);
       $state = capitalize($state);
       $city = capitalize($city);
       $name = capitalize($name); 
       $address = capitalize($address); 
       
       $address = trim($address);
       $dealership = trim($dealership);
       $city = trim($city);

       // $phone = eregi_replace("+1", "", $phone);
       // $dealership = eregi_replace("'", " ", $dealership);
       $city = eregi_replace("'", " ", $city);
       $dealership = eregi_replace(",", "", $dealership);
       $city = eregi_replace(",", "", $city);
       $website = eregi_replace("www.www.", "http://", $website);
       $website = eregi_replace("www.", "http://", $website);
       $website = eregi_replace("http://http://", "http://", $website);
       $phone = eregi_replace("-","",$phone);
       
       $dealership = str_replace("'", "", $dealership);
       $city = str_replace("'", "", $city);
       $address = str_replace("'", "", $address);

        if ( empty($dealership) || empty($address)  || empty($state) || empty($city) || empty($zip) || empty($phone) || empty($website) || empty($email) || empty($name) ){
            
             $errors[] = "All Fields With * Are Required!<br>";
            
            } else {
            
              if (strlen($dealership) > 65){
                $errors[] = 'Dealership name is too long. Shorten it'.'<br>'; 
              }
              
              if (strlen($state) > 65){
                $errors[] = 'State name too long. Shorten it'.'<br>';
              }
                
              if (!is_numeric($zip)){
                $errors[] = 'Please enter a zip code with only numbers.'.'<br>';
              } 
              
              if (strlen($zip) != 5) {
                $errors[] = 'Please enter a 5 digit zip code.'.'<br>';
              }    
              
              if (!is_numeric($phone)){
                $errors[] = 'Please enter a valid phone number'.'<br>';
              }
              
              if (filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE){
                $errors[] = 'Please enter a valid email.'.'<br>';
              }
              
            
            } 
            

            
            if(!empty($errors)){
              foreach ($errors as $error){
                echo "$error";
              }
            } else {
              
                $insert = ("INSERT INTO dealers (dealership, address, state, city, zip, phone, website, email, name, time, facebook, twitter, youtube, google_plus, yelp, pinterest, bbb) 
                VALUES ('$dealership','$address','$state','$city','$zip','$phone','$website','$email','$name', NOW(), '$facebook', '$twitter', '$youtube', '$google_plus', '$yelp', '$pinterest', '$bbb' )");
              
                mysql_query($insert);
              
                
                $email_2 = "myemail@yahoo.com";
                $to = $email_2;
                $from = "admin@mywebsite.com";
                $subject = "Another Dealership!";
                
                $city = $city;
                
                $message = '<html>
                 <body bgcolor="#FFFFFF">
                        You\'ve got another dealership! ' . $dealership . '
                        <br /><br />
                        Dealership: ' . $address . '
                        <br /><br />
                        State: ' . $state . '
                        <br /><br /> 
                        City: ' . $city . '
                        <br /><br /> 
                        Zip: ' . $zip . '
                        <br /><br /> 
                        Phone: ' . $phone . '
                        <br /><br />
                        Website: ' . $website . '
                        <br /><br />
                        E-Mail: ' . $email . '
                        <br /><br />
                        Person\'s Name: ' . $name . '
                        <br /><br />
                        Thanks! 
                 </body>
                 </html>';
                 
                $headers = "From: $from\r\n";
                $headers .= "Content-type: text/html\r\n";
                $to = "$to";
                mail($to, $subject, $message, $headers);
                
                
                ////////
                
                /* $email_2 = "myemail@yahoo.com";
                $to = $email_2;
                $from = "admin@mywebsite.com";
                $subject = "Another Dealership!";
                
                $city = $city;
                
                $message = '<html>
                 <body bgcolor="#FFFFFF">
                        You\'ve got another dealership! ' . $dealership . '
                        <br /><br />
                        Dealership: ' . $address . '
                        <br /><br />
                        State: ' . $state . '
                        <br /><br /> 
                        City: ' . $city . '
                        <br /><br /> 
                        Zip: ' . $zip . '
                        <br /><br /> 
                        Phone: ' . $phone . '
                        <br /><br />
                        Website: ' . $website . '
                        <br /><br />
                        E-Mail: ' . $email . '
                        <br /><br />
                        Person\'s Name: ' . $name . '
                        <br /><br />
                        Thanks! 
                 </body>
                 </html>';
                 
                $headers = "From: $from\r\n";
                $headers .= "Content-type: text/html\r\n";
                $to = "$to";
                mail($to, $subject, $message, $headers); */
                
                
                
                echo 'Thanks for submitting your information.<br /><br />'; 
              }
              
              
            

            
            
    }

    ?>


    <center><form action="add-carlot.php" method="POST">
            
              <tr> 
                <td width="99">Dealership Name:*</td>
                <td width="112"> 
                  <input type="text" name="dealership" value="<?php echo "$dealership"?>" />
                </td>
              </tr>
              <tr> 
                <td width="99">Address:*</td>
                <td width="112"> 
                  <input type="text" name="address" value="<?php echo "$address"?>" />
                </td>
              </tr>
        <tr>
          <td>State:*</td>
          <td><select name="state" value="<?php echo "$state"?>" >
          <option value="Alabama">Alabama</option>
          <option value="Alaska">Alaska</option>  
          <option value="Arizona">Arizona</option>
          <option value="Arkansas">Arkansas</option>
          <option value="California">California</option>
          <option value="Colorado">Colorado</option>
          <option value="Connecticut">Connecticut</option>
          <option value="Delaware">Delaware</option>
          <option value="Florida">Florida</option>
          <option value="Georgia">Georgia</option>
          <option value="Hawaii">Hawaii</option>
          <option value="Idaho">Idaho</option>
          <option value="Illinois">Illinois</option>
          <option value="Indiana">Indiana</option>
          <option value="Iowa">Iowa</option>
          <option value="Kansas">Kansas</option>
          <option value="Kentucky">Kentucky</option>
          <option value="Louisiana">Louisiana</option>
          <option value="Maine">Maine</option>
          <option value="Maryland">Maryland</option>
          <option value="Massachusetts">Massachusetts</option>
          <option value="Michigan">Michigan</option>
          <option value="Minnesota">Minnesota</option>
          <option value="Mississippi">Mississippi</option>
          <option value="Missouri">Missouri</option>
          <option value="Montana">Montana</option>
          <option value="Nebraska">Nebraska</option>
          <option value="Nevada">Nevada</option>
          <option value="New Hampshire">New Hampshire</option>
          <option value="New Jersey">New Jersey</option>
          <option value="New Mexico">New Mexico</option>
          <option value="New York">New York</option>
          <option value="North Carolina">North Carolina</option>
          <option value="North Dakota">North Dakota</option>
          <option value="Ohio">Ohio</option>
          <option value="Oklahoma">Oklahoma</option>
          <option value="Oregon">Oregon</option>
          <option value="Pennsylvania">Pennsylvania</option>
          <option value="Rhode Island">Rhode Island</option>
          <option value="South Carolina">South Carolina</option>
          <option value="South Dakota">South Dakota</option>
          <option value="Tennessee">Tennessee</option>
          <option value="Texas">Texas</option>
          <option value="Utah">Utah</option>
          <option value="Vermont">Vermont</option>
          <option value="Virginia">Virginia</option>
          <option value="Washington">Washington</option>
          <option value="West Virginia">West Virginia</option>
          <option value="Wisconsin">Wisconsin</option>
          <option value="Wyoming">Wyoming</option>
          </select></td>
        </tr>
              <tr> 
                <td width="99">City:*</td>
                <td width="112"> 
                  <input type="text" name="city" value="<?php echo "$city"?>" />
                </td>
              </tr>
              <tr> 
                <td width="99">Zip:*</td>
                <td width="112"> 
                  <input type="text" name="zip" maxlength="5" value="<?php echo "$zip"?>" />
                </td>
              </tr>
              <tr> 
                <td width="99">Phone:*</td>
                <td width="112"> 
                  <input type="text" name="phone" value="<?php echo "$phone"?>" />
                </td>
              </tr>
              <tr> 
                <td width="99">Website:*</td>
                <td width="112"> 
                  <input type="text" name="website" value="<?php echo "$website"?>" />
                </td>
              </tr>
               <tr> 
                <td width="99">Email:*</td>
                <td width="112"> 
                  <input type="text" name="email" value="<?php echo "$email"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Facebook:</td>
                <td width="112"> 
                  <input type="text" name="facebook" value="<?php echo "$facebook"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Twitter:</td>
                <td width="112"> 
                  <input type="text" name="twitter" value="<?php echo "$twitter"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Youtube:</td>
                <td width="112"> 
                  <input type="text" name="youtube" value="<?php echo "$youtube"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Google+:</td>
                <td width="112"> 
                  <input type="text" name="google_plus" value="<?php echo "$google_plus"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Yelp:</td>
                <td width="112"> 
                  <input type="text" name="yelp" value="<?php echo "$yelp"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">Pinterest:</td>
                <td width="112"> 
                  <input type="text" name="pinterest" value="<?php echo "$pinterest"?>" />
                </td>
              </tr> 
              <tr> 
                <td width="99">BBB:</td>
                <td width="112"> 
                  <input type="text" name="bbb" value="<?php echo "$bbb"?>" />
                </td>
              </tr> 
               <tr> 
                <td width="99">Your Name:*</td>
                <td width="112"> 
                 <input type="text" name="name" value="<?php echo "$name"?>" />
                </td>
              </tr>
              <tr> 
                <td width="99"> 
                  <input type="submit" name="submit" value="Submit">
                </td>
              </tr>
            </table>
          </form></center>

  6. #6
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,014
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by scm22ri View Post
    Thanks SpacePhoenix for the tip. Quick question tough, if I update this page with the msqli_* extension, will I have to update every-single-page in my website with that same extension?
    Yes you'll have to update any script which currently uses the mysql_* extension
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •