Solved

php query

Posted on 2008-06-16
14
195 Views
Last Modified: 2013-12-12
hi,

i have the following fields and query:

$tffirstname  = addslashes($_POST['textfieldfirstname']);
$tflastname  = addslashes($_POST['textfieldlastname']);
$tfaddress  = addslashes($_POST['textfieldaddress']);
$tfid  = addslashes($_POST['textfieldid']);
$tfrem  = addslashes($_POST['textfieldrem']);

$sqlqueryinsertdeclined = "INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks)VALUES('$tffirstname', '$tflastname', '$tfaddress', '$tfid', '$tfrem')";

but if for example one of the value has a --'s-- the query breaks. how can i solve this?
0
Comment
Question by:eaweb
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21794868
Try:

$sqlqueryinsertdeclined = sprintf('INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks) VALUES("%s","%s","%s","%s","%s")'
                                                ,mysql_real_escape_string($tffirstname)
                                                ,mysql_real_escape_string($tflastname)
                                                ,mysql_real_escape_string($tfaddress)
                                                ,mysql_real_escape_string($tfid)
                                                ,mysql_real_escape_string($tfrem)
                                        );

Kind regards

-r-
0
 
LVL 4

Expert Comment

by:albuitra
ID: 21794900
Try with this
"INSERT INTO TableDeclined ( 

FirstName, 

LastName, 

Address, 

Identification, 

Remarks) VALUES 

('".$tffirstname."', 

'".$tflastname."', 

'".$tfaddress."', 

'".$tfid."', 

'".$tfrem."')";

Open in new window

0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21794959
Try replacing addslashes with mysql_real_escape_string
0
 
LVL 1

Expert Comment

by:soorajb
ID: 21795174
This is the correct idea: Use mysql_real_escape_string
0
 

Author Comment

by:eaweb
ID: 21795934
i am using mssql
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21795960
then try addslashes() instead.
0
 

Author Comment

by:eaweb
ID: 21796080
but i am already using addslashes().
$tffirstname  = addslashes($_POST['textfieldfirstname']);
and i get an error when the field contains a string like "bob's"
i need something to prevent sql injections like mysql_real_escape_string and prevent errors for strings like "bob's"
0
Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 21796175
I did some looking up (what I should have done). You can use this:

function mssql_real_escape_string($string) {
    return str_replace("'", "''", $string);
}

Then use mssql_real_escape_string where we proposed mysql_real_escape_string.
0
 

Author Comment

by:eaweb
ID: 21796307
roonaan,

i am using

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return str_replace($escape, "\$1", $str);

      }

$tfaddress  = mssql_real_escape_string($_POST['textfieldaddress']);

but still getting the same error if the field contains a string like "bob's "streets" 22". what is here the problem
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796333
The $escape is build to be used with preg_replace rather than str_replace. Try

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return preg_replace($escape, "\$1", $str);

      }

But still, mssql doesn't use slashes for escaping, but duplicates its single quotes.
0
 

Author Comment

by:eaweb
ID: 21796465
i get this error
preg_replace() [function.preg-replace]: No ending delimiter '/' found
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796534
I can't explain that one. The ending delimiter is in there and isn't escaped in any way. But still. mssql doesn't use slashes for escaping..
0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21797171
Even though you are using mssql there is still a good chance that PHP was compiled with the mysql libraries, in which case you can still use the mysql_real_escape_string function.  As far as the No ending delimiter, that's a regular expression error. Try moving the / to the end of the regular expression.
0
 

Author Closing Comment

by:eaweb
ID: 31492402
i solved it this way:

function mssql_real_escape_string_symbol($str)
    {
            $escapeb = array ('`',"!","@","#","$","%","^","&","*","(",")","_","+","-","=","{","}","[","]","|",'\\',":",";",'"',"'","<",',',">",".","?","/",")");
            return str_replace($escapeb, " ", $str);
      }
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now