• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

php query

hi,

i have the following fields and query:

$tffirstname  = addslashes($_POST['textfieldfirstname']);
$tflastname  = addslashes($_POST['textfieldlastname']);
$tfaddress  = addslashes($_POST['textfieldaddress']);
$tfid  = addslashes($_POST['textfieldid']);
$tfrem  = addslashes($_POST['textfieldrem']);

$sqlqueryinsertdeclined = "INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks)VALUES('$tffirstname', '$tflastname', '$tfaddress', '$tfid', '$tfrem')";

but if for example one of the value has a --'s-- the query breaks. how can i solve this?
0
eaweb
Asked:
eaweb
  • 5
  • 5
  • 2
  • +2
1 Solution
 
RoonaanCommented:
Try:

$sqlqueryinsertdeclined = sprintf('INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks) VALUES("%s","%s","%s","%s","%s")'
                                                ,mysql_real_escape_string($tffirstname)
                                                ,mysql_real_escape_string($tflastname)
                                                ,mysql_real_escape_string($tfaddress)
                                                ,mysql_real_escape_string($tfid)
                                                ,mysql_real_escape_string($tfrem)
                                        );

Kind regards

-r-
0
 
albuitraCommented:
Try with this
"INSERT INTO TableDeclined ( 
FirstName, 
LastName, 
Address, 
Identification, 
Remarks) VALUES 
('".$tffirstname."', 
'".$tflastname."', 
'".$tfaddress."', 
'".$tfid."', 
'".$tfrem."')";

Open in new window

0
 
FapikoCommented:
Try replacing addslashes with mysql_real_escape_string
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
soorajbCommented:
This is the correct idea: Use mysql_real_escape_string
0
 
eawebAuthor Commented:
i am using mssql
0
 
RoonaanCommented:
then try addslashes() instead.
0
 
eawebAuthor Commented:
but i am already using addslashes().
$tffirstname  = addslashes($_POST['textfieldfirstname']);
and i get an error when the field contains a string like "bob's"
i need something to prevent sql injections like mysql_real_escape_string and prevent errors for strings like "bob's"
0
 
RoonaanCommented:
I did some looking up (what I should have done). You can use this:

function mssql_real_escape_string($string) {
    return str_replace("'", "''", $string);
}

Then use mssql_real_escape_string where we proposed mysql_real_escape_string.
0
 
eawebAuthor Commented:
roonaan,

i am using

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return str_replace($escape, "\$1", $str);

      }

$tfaddress  = mssql_real_escape_string($_POST['textfieldaddress']);

but still getting the same error if the field contains a string like "bob's "streets" 22". what is here the problem
0
 
RoonaanCommented:
The $escape is build to be used with preg_replace rather than str_replace. Try

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return preg_replace($escape, "\$1", $str);

      }

But still, mssql doesn't use slashes for escaping, but duplicates its single quotes.
0
 
eawebAuthor Commented:
i get this error
preg_replace() [function.preg-replace]: No ending delimiter '/' found
0
 
RoonaanCommented:
I can't explain that one. The ending delimiter is in there and isn't escaped in any way. But still. mssql doesn't use slashes for escaping..
0
 
FapikoCommented:
Even though you are using mssql there is still a good chance that PHP was compiled with the mysql libraries, in which case you can still use the mysql_real_escape_string function.  As far as the No ending delimiter, that's a regular expression error. Try moving the / to the end of the regular expression.
0
 
eawebAuthor Commented:
i solved it this way:

function mssql_real_escape_string_symbol($str)
    {
            $escapeb = array ('`',"!","@","#","$","%","^","&","*","(",")","_","+","-","=","{","}","[","]","|",'\\',":",";",'"',"'","<",',',">",".","?","/",")");
            return str_replace($escapeb, " ", $str);
      }
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now