Solved

php query

Posted on 2008-06-16
14
201 Views
Last Modified: 2013-12-12
hi,

i have the following fields and query:

$tffirstname  = addslashes($_POST['textfieldfirstname']);
$tflastname  = addslashes($_POST['textfieldlastname']);
$tfaddress  = addslashes($_POST['textfieldaddress']);
$tfid  = addslashes($_POST['textfieldid']);
$tfrem  = addslashes($_POST['textfieldrem']);

$sqlqueryinsertdeclined = "INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks)VALUES('$tffirstname', '$tflastname', '$tfaddress', '$tfid', '$tfrem')";

but if for example one of the value has a --'s-- the query breaks. how can i solve this?
0
Comment
Question by:eaweb
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21794868
Try:

$sqlqueryinsertdeclined = sprintf('INSERT INTO TableDeclined (FirstName, LastName, Address, Identification, Remarks) VALUES("%s","%s","%s","%s","%s")'
                                                ,mysql_real_escape_string($tffirstname)
                                                ,mysql_real_escape_string($tflastname)
                                                ,mysql_real_escape_string($tfaddress)
                                                ,mysql_real_escape_string($tfid)
                                                ,mysql_real_escape_string($tfrem)
                                        );

Kind regards

-r-
0
 
LVL 4

Expert Comment

by:albuitra
ID: 21794900
Try with this
"INSERT INTO TableDeclined ( 
FirstName, 
LastName, 
Address, 
Identification, 
Remarks) VALUES 
('".$tffirstname."', 
'".$tflastname."', 
'".$tfaddress."', 
'".$tfid."', 
'".$tfrem."')";

Open in new window

0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21794959
Try replacing addslashes with mysql_real_escape_string
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:soorajb
ID: 21795174
This is the correct idea: Use mysql_real_escape_string
0
 

Author Comment

by:eaweb
ID: 21795934
i am using mssql
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21795960
then try addslashes() instead.
0
 

Author Comment

by:eaweb
ID: 21796080
but i am already using addslashes().
$tffirstname  = addslashes($_POST['textfieldfirstname']);
and i get an error when the field contains a string like "bob's"
i need something to prevent sql injections like mysql_real_escape_string and prevent errors for strings like "bob's"
0
 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 21796175
I did some looking up (what I should have done). You can use this:

function mssql_real_escape_string($string) {
    return str_replace("'", "''", $string);
}

Then use mssql_real_escape_string where we proposed mysql_real_escape_string.
0
 

Author Comment

by:eaweb
ID: 21796307
roonaan,

i am using

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return str_replace($escape, "\$1", $str);

      }

$tfaddress  = mssql_real_escape_string($_POST['textfieldaddress']);

but still getting the same error if the field contains a string like "bob's "streets" 22". what is here the problem
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796333
The $escape is build to be used with preg_replace rather than str_replace. Try

function mssql_real_escape_string($str)
      {
               $escape = "/([\x00\n\r\,\'\"\x1a])/ig";
               return preg_replace($escape, "\$1", $str);

      }

But still, mssql doesn't use slashes for escaping, but duplicates its single quotes.
0
 

Author Comment

by:eaweb
ID: 21796465
i get this error
preg_replace() [function.preg-replace]: No ending delimiter '/' found
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21796534
I can't explain that one. The ending delimiter is in there and isn't escaped in any way. But still. mssql doesn't use slashes for escaping..
0
 
LVL 3

Expert Comment

by:Fapiko
ID: 21797171
Even though you are using mssql there is still a good chance that PHP was compiled with the mysql libraries, in which case you can still use the mysql_real_escape_string function.  As far as the No ending delimiter, that's a regular expression error. Try moving the / to the end of the regular expression.
0
 

Author Closing Comment

by:eaweb
ID: 31492402
i solved it this way:

function mssql_real_escape_string_symbol($str)
    {
            $escapeb = array ('`',"!","@","#","$","%","^","&","*","(",")","_","+","-","=","{","}","[","]","|",'\\',":",";",'"',"'","<",',',">",".","?","/",")");
            return str_replace($escapeb, " ", $str);
      }
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Log in through ID 5 35
Send email using HTML and PHP in separate file 5 36
PHP encrypted string and passing to a ASP Page 12 36
Convert php array to comma seperated list 19 31
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question