PHP form data

I have the following text in a php form which is working fine:

<input type="text" name="it_doc_location" id="it_doc_location" required placeholder="Where document is stored on the network" size="50" value=""/> (Required)

I need to set the value as "c:\xampp\documents" so that this is inserted into the database
At the moment if I add this as a value the \ is not added - presumably because it is not allowed
I will also need to be able to change this on the form with a link or button
I am using php 5.5.9
doctorbillTechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
The '\' character is used as an 'escape' character in PHP strings, especially inside double quotes.  To actually use '\' in a string, you usually have to double it to '\\'.  More info here:  http://php.net/manual/en/language.types.string.php
0
Dave BaldwinFixer of ProblemsCommented:
That brings up a question.  How are you planning on accessing those files?  If it's thru your web browser, you should be aware that web browsers have very strict limits on accessing local files like with the 'file://' protocol.  You can easily access files under the web root of a server with 'http://' protocol.
0
doctorbillTechAuthor Commented:
what about real_escape_string
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Olaf DoschkeSoftware DeveloperCommented:
The problem is not in the HTML nor in the transfer of the input. Presumably, you're constructing SQL and put the input value in quotes. This is allowing SQL injection attacks as one big problem, and as Dave explained will not result in backslashes, as these mark the start of escaping characters. \d has no special meaning, but will likely simply be swallowed. \x actually would take the next two as hexadecimal code, of it were two characters in the range 0-9 or a-f, \xam does not qualify.

Anyway, use parameterized queries, please, then such input also is no problem. As minimum security requirement before you deep dive into learning parameterized query, Use  http://php.net/manual/en/mysqli.real-escape-string.php to escape the input for the MySQL insert query.

Bye, Olaf.
0
Dave BaldwinFixer of ProblemsCommented:
'real_escape_string ' is for MySQL.  Your text has to make it thru PHP processing first.  More info here on mysqli_real_escape_string:  http://php.net/manual/en/mysqli.real-escape-string.php
0
doctorbillTechAuthor Commented:
so how do I write this in the form field
0
Olaf DoschkeSoftware DeveloperCommented:
Nothing has to be changed in the form. You apply mysqli_real_escape_string on the data you get from the form, i.e. on $_GET['it_doc_location'] before saving that into the database.

Bye, Olaf.
0
Julian HansenCommented:
I need to set the value as "c:\xampp\documents" so that this is inserted into the database
Can you show us the code where you are trying to do the above?
0
doctorbillTechAuthor Commented:
<input type="text" name="it_doc_location" id="it_doc_location" required placeholder="Where document is stored on the network" size="50" value="c:\xampp\documents"/> (Required)

The above code is trying to submit the value to the sql database. I simply submit the form. If I use \\ instead of \ it works but I am looking for an alternative solution
0
Olaf DoschkeSoftware DeveloperCommented:
Again, the problem is not at the form level, it is in your PHP side script. The script specified as the HTML form action. You need to act there, not here at the form. Depending on the form method you'll act on either $_GET (which I suspected, as a form might post data and at the same time and next step get a result HTML page), or it's in $_POST. Anyway, what you need to act on is the PHP side.

Bye, Olaf
0
Julian HansenCommented:
As Olaf says - why are you doing this at the form level? I can't see any benefit and many problems.

a) You are exposing your directory structure on your server
b) The user can overwrite the path in the form

Why does this have to be on the form - just add it in the PHP.

Personally I wouldn't even add it - I would make the database path virtual so I can attach whatever prefix I want to the value from the DB to find the document - that way if I decide to move the documents elsewhere I don't have to touch the db - just change the prefix path in the retrieval script.
0
Olaf DoschkeSoftware DeveloperCommented:
Julian, if the whole topic is some administration tool config options like that could be a topic.

But, @doctorbill,  whatever it is you're submitting is coming through 1:1, the problem is when you take it as that and not escape it before using in MySQL inserts. This short sample doesn't do a MySQL insert, but does this preparational step:

http://phpfiddle.org/main/code/9bs1-n9rp

It would still be better to use a parameterized SQL insert instead, but it's a good thing to sanitize all user input and do so for the intended use of it. You've got to learn a lot of topics before you should sit at writing an administrative tool configuring a xampp installation with it.

If you want to store this as value to use in further code, you know you can read out your web root folder via $_SERVER['DOCUMENT_ROOT'] , you don't need to configure this or write code storing that in your site's database to retrieve it from there, if that's what you're doing as web root on your localhost development differs from your hosted site. $_SERVER['DOCUMENT_ROOT'] is the universal server variable to use for that.

Bye, Olaf.
0
Julian HansenCommented:
@Olaf,

Thanks - I misread the question - you are 100% right.

I don't see anything wrong with what he is doing - there should be no issue with inserting that value.

My test script
HTML
<form action="t3137.php" method="post">
  <input type="text" name="it_doc_location" id="it_doc_location" required placeholder="Where document is stored on the network" size="50" value=""/> (Required)
  <input type="submit" />
</form>

Open in new window

My PHP script
<?php
require_once('connection.php');
$it_doc_location = isset($_POST['it_doc_location']) ? $_POST['it_doc_location'] : false;

if ($it_doc_location) {
  $query = <<< QUERY
INSERT INTO admin (path) VALUES(?)
QUERY;
  $stmt = $conn->prepare($query);
  if ($stmt) {
    $stmt->bind_param("s", $it_doc_location);
    $stmt->execute();
  }
  
  $update = <<< UPDATE
  UPDATE admin SET path=? WHERE id=1
UPDATE;
  $stmt = $conn->prepare($update);
  if ($stmt) {
    $stmt->bind_param("s", $it_doc_location);
    $stmt->execute();
  }
  echo "Success";
}
else {
  echo "Invalid parameters";
}

Open in new window

The above script does an insert and an update to test. No manipulation of the incoming data which was set to
c:\xampp\documents

Open in new window

Both new record was inserted correctly and updated record contained correct value.

I go back to my original question
Can you show us the code where you are trying to do the above?
and I mean the PHP code that is retrieving the form value and attempting to insert it into the DB
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Olaf DoschkeSoftware DeveloperCommented:
I assume his PHP is creating an SQL string and not escaping the input, then you lose the backslashes. But the problem is not, that they don't come over from the HTML form.

And I recommend the parameterized solution, too.

Bye. Olaf.
0
doctorbillTechAuthor Commented:
Thanks all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.