• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 562
  • Last Modified:

escape or remove all apostrophes before inserting into db

I have the following php script which works perfectly except when their is an apostrophe in the message that is to be inserted.  In php, how do either escape or remove all apostrophes before it inserts into the db table?
<?php
// read from stdin
$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd)) {
$email .= fread($fd, 1024);
}
fclose($fd);

// handle email

$lines = explode("\n", $email);

// empty vars

$from = "";
$subject = "";
$headers = "";
$message = "";
$splittingheaders = true;

for ($i=0; $i < count($lines); $i++) {
if ($splittingheaders) {
// this is a header
$headers .= $lines[$i]."\n";
// look out for special headers
if (preg_match("/^Subject: (.*)/", $lines[$i], $matches)) {
$subject = $matches[1];
}
if (preg_match("/^From: (.*)/", $lines[$i], $matches)) {
$from = $matches[1];
}
} else {
// not a header, but message
$message .= $lines[$i]."\n";
}

if (trim($lines[$i])=="") {
// empty line, header section has ended
$splittingheaders = false;
}
}
preg_match("/boundary=\".*?\"/i", $headers, $boundary);
$boundaryfulltext = $boundary[0];

if ($boundaryfulltext!="")
{
$find = array("/boundary=\"/i", "/\"/i");
$boundarytext = preg_replace($find, "", $boundaryfulltext);
$splitmessage = explode("--" . $boundarytext, $message);
$fullmessage = ltrim($splitmessage[1]);
preg_match('/\n\n(.*)/is', $fullmessage, $splitmore);

if (substr(ltrim($splitmore[0]), 0, 2)=="--")
{
$actualmessage = $splitmore[0];
}
else
{
$actualmessage = ltrim($splitmore[0]);
}

}
else
{
$actualmessage = ltrim($message);
}

$clean = array("/\n--.*/is", "/=3D\n.*/s");
$cleanmessage = trim(preg_replace($clean, "", $actualmessage));

// Store email message to database

$con = mysql_connect("localhost","username","pwd");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("domain_com", $con);

$sql = "INSERT INTO email_leads (message_field,sent) VALUES('$message','yes')";
$r = mysql_query($sql, $con);

$fp = fopen("http://www.domain.com/chat/email.cfm","r");

return NULL;

?>

Open in new window

0
COwebmaster
Asked:
COwebmaster
  • 7
  • 4
5 Solutions
 
Mohamed AbowardaSoftware EngineerCommented:
You can remove any char from a string by using str_replace():

$str = str_replace("\"", '', $str);
$str = str_replace("'", '', $str);

Open in new window

0
 
kivan24Commented:
0
 
Mohamed AbowardaSoftware EngineerCommented:
mysql_real_escape_string() requires database connection to be used, you might want to consider using a method that don't require database connection:
http://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
COwebmasterAuthor Commented:
kivan24, how would I add that line to my code?
0
 
Mohamed AbowardaSoftware EngineerCommented:
If you want to use mysql_real_escape_string(), add the line before inserting the data into the database:

mysql_select_db("domain_com", $con);

$message = mysql_real_escape_string($message, $con);
$sql = "INSERT INTO email_leads (message_field,sent) VALUES('$message','yes')";

Open in new window

0
 
Mohamed AbowardaSoftware EngineerCommented:
0
 
COwebmasterAuthor Commented:
ok, that worked.  Also, will doing that prevent sql injection? and will that cover both single and double quotes?
0
 
Mohamed AbowardaSoftware EngineerCommented:
@COwebmaster: Yes, it should prevent sql injection according to the database sql syntax, however, I recommend you to use more secure way such as prepared statements or more secure method that use some codes + mysql_real_escape_string()
0
 
COwebmasterAuthor Commented:
ok, using your code to replace a single quote worked.  What if I wanted to replace all double quotes?
0
 
Mohamed AbowardaSoftware EngineerCommented:
This will replace double quotes:
$message = str_replace("\"", '', $message);

Open in new window

0
 
COwebmasterAuthor Commented:
ok great.  Thank you!
0
 
Mohamed AbowardaSoftware EngineerCommented:
You are welcome, glad to help :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now