Solved

php query

Posted on 2008-06-16
14
204 Views
Last Modified: 2013-12-12
hi,

i have the following fields and query:

$tffirstname  = addslashes($_POST['textfieldfirstname']);
$tflastname  = addslashes($_POST['textfieldlastname']);
$tfaddress  = addslashes($_POST['textfieldaddress']);
$tfid  = addslashes($_POST['textfieldid']);
$tfrem  = addslashes($_POST['textfieldrem']);

$sqlqueryinsertdeclined = "INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks)VALUES('$tffirstname', '$tflastname', '$tfaddress', '$tfid', '$tfrem')";

but if for example one of the value has a --'s-- the query breaks. how can i solve this?
0
Comment
Question by:eaweb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21794868
Try:

$sqlqueryinsertdeclined = sprintf('INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks) VALUES("%s","%s","%s","%s","%s")'
                                                ,mysql_real_escape_string($tffirstname)
                                                ,mysql_real_escape_string($tflastname)
                                                ,mysql_real_escape_string($tfaddress)
                                                ,mysql_real_escape_string($tfid)
                                                ,mysql_real_escape_string($tfrem)
                                        );

Kind regards

-r-
0
 
LVL 4

Expert Comment

by:albuitra
ID: 21794900
Try with this
"INSERT INTO TableDeclined ( 
FirstName, 
LastName, 
Address, 
Identification, 
Remarks) VALUES 
('".$tffirstname."', 
'".$tflastname."', 
'".$tfaddress."', 
'".$tfid."', 
'".$tfrem."')";

Open in new window

0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21794959
Try replacing addslashes with mysql_real_escape_string
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:soorajb
ID: 21795174
This is the correct idea: Use mysql_real_escape_string
0
 

Author Comment

by:eaweb
ID: 21795934
i am using mssql
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21795960
then try addslashes() instead.
0
 

Author Comment

by:eaweb
ID: 21796080
but i am already using addslashes().
$tffirstname  = addslashes($_POST['textfieldfirstname']);
and i get an error when the field contains a string like "bob's"
i need something to prevent sql injections like mysql_real_escape_string and prevent errors for strings like "bob's"
0
 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 21796175
I did some looking up (what I should have done). You can use this:

function mssql_real_escape_string($string) {
    return str_replace("'", "''", $string);
}

Then use mssql_real_escape_string where we proposed mysql_real_escape_string.
0
 

Author Comment

by:eaweb
ID: 21796307
roonaan,

i am using

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return str_replace($escape, "\$1", $str);

      }

$tfaddress  = mssql_real_escape_string($_POST['textfieldaddress']);

but still getting the same error if the field contains a string like "bob's "streets" 22". what is here the problem
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796333
The $escape is build to be used with preg_replace rather than str_replace. Try

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return preg_replace($escape, "\$1", $str);

      }

But still, mssql doesn't use slashes for escaping, but duplicates its single quotes.
0
 

Author Comment

by:eaweb
ID: 21796465
i get this error
preg_replace() [function.preg-replace]: No ending delimiter '/' found
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796534
I can't explain that one. The ending delimiter is in there and isn't escaped in any way. But still. mssql doesn't use slashes for escaping..
0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21797171
Even though you are using mssql there is still a good chance that PHP was compiled with the mysql libraries, in which case you can still use the mysql_real_escape_string function.  As far as the No ending delimiter, that's a regular expression error. Try moving the / to the end of the regular expression.
0
 

Author Closing Comment

by:eaweb
ID: 31492402
i solved it this way:

function mssql_real_escape_string_symbol($str)
    {
            $escapeb = array ('`',"!","@","#","$","%","^","&","*","(",")","_","+","-","=","{","}","[","]","|",'\\',":",";",'"',"'","<",',',">",".","?","/",")");
            return str_replace($escapeb, " ", $str);
      }
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I update select listbox after search 2 49
Find RGB colors from a screen. 2 39
geting data from the array list 6 36
Php variable to be sent back 3 33
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question