Solved

php query

Posted on 2008-06-16
14
211 Views
Last Modified: 2013-12-12
hi,

i have the following fields and query:

$tffirstname  = addslashes($_POST['textfieldfirstname']);
$tflastname  = addslashes($_POST['textfieldlastname']);
$tfaddress  = addslashes($_POST['textfieldaddress']);
$tfid  = addslashes($_POST['textfieldid']);
$tfrem  = addslashes($_POST['textfieldrem']);

$sqlqueryinsertdeclined = "INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks)VALUES('$tffirstname', '$tflastname', '$tfaddress', '$tfid', '$tfrem')";

but if for example one of the value has a --'s-- the query breaks. how can i solve this?
0
Comment
Question by:eaweb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21794868
Try:

$sqlqueryinsertdeclined = sprintf('INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks) VALUES("%s","%s","%s","%s","%s")'
                                                ,mysql_real_escape_string($tffirstname)
                                                ,mysql_real_escape_string($tflastname)
                                                ,mysql_real_escape_string($tfaddress)
                                                ,mysql_real_escape_string($tfid)
                                                ,mysql_real_escape_string($tfrem)
                                        );

Kind regards

-r-
0
 
LVL 4

Expert Comment

by:albuitra
ID: 21794900
Try with this
"INSERT INTO TableDeclined ( 
FirstName, 
LastName, 
Address, 
Identification, 
Remarks) VALUES 
('".$tffirstname."', 
'".$tflastname."', 
'".$tfaddress."', 
'".$tfid."', 
'".$tfrem."')";

Open in new window

0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21794959
Try replacing addslashes with mysql_real_escape_string
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 1

Expert Comment

by:soorajb
ID: 21795174
This is the correct idea: Use mysql_real_escape_string
0
 

Author Comment

by:eaweb
ID: 21795934
i am using mssql
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21795960
then try addslashes() instead.
0
 

Author Comment

by:eaweb
ID: 21796080
but i am already using addslashes().
$tffirstname  = addslashes($_POST['textfieldfirstname']);
and i get an error when the field contains a string like "bob's"
i need something to prevent sql injections like mysql_real_escape_string and prevent errors for strings like "bob's"
0
 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 21796175
I did some looking up (what I should have done). You can use this:

function mssql_real_escape_string($string) {
    return str_replace("'", "''", $string);
}

Then use mssql_real_escape_string where we proposed mysql_real_escape_string.
0
 

Author Comment

by:eaweb
ID: 21796307
roonaan,

i am using

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return str_replace($escape, "\$1", $str);

      }

$tfaddress  = mssql_real_escape_string($_POST['textfieldaddress']);

but still getting the same error if the field contains a string like "bob's "streets" 22". what is here the problem
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796333
The $escape is build to be used with preg_replace rather than str_replace. Try

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return preg_replace($escape, "\$1", $str);

      }

But still, mssql doesn't use slashes for escaping, but duplicates its single quotes.
0
 

Author Comment

by:eaweb
ID: 21796465
i get this error
preg_replace() [function.preg-replace]: No ending delimiter '/' found
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796534
I can't explain that one. The ending delimiter is in there and isn't escaped in any way. But still. mssql doesn't use slashes for escaping..
0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21797171
Even though you are using mssql there is still a good chance that PHP was compiled with the mysql libraries, in which case you can still use the mysql_real_escape_string function.  As far as the No ending delimiter, that's a regular expression error. Try moving the / to the end of the regular expression.
0
 

Author Closing Comment

by:eaweb
ID: 31492402
i solved it this way:

function mssql_real_escape_string_symbol($str)
    {
            $escapeb = array ('`',"!","@","#","$","%","^","&","*","(",")","_","+","-","=","{","}","[","]","|",'\\',":",";",'"',"'","<",',',">",".","?","/",")");
            return str_replace($escapeb, " ", $str);
      }
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question