Worked great! Thanks… there is one problem though. Now it always shows the error message… so somehow its executing the else without checking the if first.
I know a little about what you have done. Is there a chance you can just go over why you added the code you did. Just a quick overview of the changes will work for me. If you have to time. Thanks!
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
This statement checks to see if magic_quotes is turned on read more about it here. This function automatically adds slashed to data so we need to strip these slashes out first for the mysql_real_escape_string to work properly (i think) the next part:
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
This checks to see if the data entered is total numeric if it is, it can’t be malicious so there is no need to escape it, if it contains other values such as single or double quote and other signs it escapes the data to make sure it does not interrupt the SQL.
If we put these together in a function we don’t have to write it out again and again for each peice of data so we make it a function.
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
}
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
}
One thing I noticed was that the quote_smart function is not being called. As far as I understand, for that function to work does it not need to be called?
Haha im an idiot… I looked over the code and didnt even see it. I guess I should have gone to be before 3… and not watched that crappy movie “XXX - State of the Union”. LOL Thanks again!
I always have my connection info in another php file that I include into all the pages.
dbconnect.inc.php:
<?php
//mysql user info
$sqlhost = "localhost";
$sqluser = "user";
$sqlpass = "password";
//try to contact database server using user info above
if (!$dbconnect = mysql_connect($sqlhost,$sqluser,$sqlpass)){
echo "There was an error connecting to the database. Please try again later.";
}
//select the required database on the mysql server
if (!mysql_select_db('merit1')){
echo "There was an error locating the requested database. Please try again later.";}
?>
You can hard code that into everypage or you can create a seperate page like I did and include it: