The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Apostrophe Problems
jamesjohnson88
post Apr 30 2009, 09:23 AM
Post #1


Newbie
*

Group: Members
Posts: 16
Joined: 31-March 09
Member No.: 8,202



Whenever a form is submitted to my DB, if it has an apostrophe in it my MySQL throws an error. This is the code -

QUOTE
$con = mysql_connect("localhost","u08105199","edited");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("u08105199", $con);
// Get values to insert.
$sql="INSERT INTO contactMe (FirstName, LastName, Age, Email, Comments)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]','$_POST[email]','$_POST[comments]')";

if (!mysql_query($sql,$con)) //Function is called.
{ // IF statement to check for errors.
die('Error: ' . mysql_error()); // Error checking feedback.
}
else
{
echo ("Thank you, your comment has been added."); // Feedback message.
}
mysql_close($con)


I know I have to do something with escape strings but I just can't get my head around what parts of the code needs changing.

Any help is appreciated.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Apr 30 2009, 10:13 AM
Post #2


Jocular coder
********

Group: Members
Posts: 2,263
Joined: 31-August 06
Member No.: 43



http://jp2.php.net/manual/en/function.mysq...cape-string.php

Actually I use mysql_escape_string() but the "real" thing is supposed to be "better". You need to apply this to any input value that may include apostrophes (etc).

(As it stands, your script is totally open to SQL injection: I supply a comments field that starts

'); <...now I can write any SQL command I want to run on your server.

It is a much better approach _always_ to check input strings before letting them near your database.


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
jamesjohnson88
post Apr 30 2009, 10:22 AM
Post #3


Newbie
*

Group: Members
Posts: 16
Joined: 31-March 09
Member No.: 8,202



Was told to try this -

//set variables
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$comments = mysql_real_escape_string($_POST['comments']);
// set query
$sql="INSERT INTO contactMe (FirstName, LastName, Age, Email, Comments)
VALUES ('$firstname', '$lastname', '$comments')"

Still not working for me.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
jamesjohnson88
post Apr 30 2009, 10:39 AM
Post #4


Newbie
*

Group: Members
Posts: 16
Joined: 31-March 09
Member No.: 8,202



Got it working, thanks for the help.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
geoffmerritt
post May 1 2009, 10:13 AM
Post #5


Member
***

Group: Members
Posts: 66
Joined: 23-December 08
From: Adelaide
Member No.: 7,394



QUOTE
Actually I use mysql_escape_string() but the "real" thing is supposed to be "better". You need to apply this to any input value that may include apostrophes (etc).

What i have read, they do the same, the "real" only works after you are logged into the db. So if you need to apply to the value prior to logging into the db, mysql_escape_string() will be the only option.
QUOTE
It is a much better approach _always_ to check input strings before letting them near your database.

The code below will check the input, and if it doesnt match what you are expecting will stop the script. the regular expressions can be tailored to suit your needs.
CODE
$input = $_POST['input'];

$inputpattern = '/^[0-9A-Za-z]+$/';

$errormessage = " field, has invalid information and needs to be changed.";

if (!preg_match("$inputpattern", "$input"))
  {
  echo "Your Input $errormessage";
  exit();
  }

I always do a client side and server side check of the script, and it is wrong to assume that all the information will come from your website form.


--------------------
Carpe Diem

I mainly code in php, so my answers will have a html and php bias. www.caboosewebdesign.com.au
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 25th November 2014 - 07:09 PM