backslashing for mySQL

Anon

Yes, I'm new to PHP coding.

I am trying to write php code to collect data from an HTML form
and then insert it into a mySQL db. However, whenever the user
inputs a single quote (as in: foobar's), the SQL statement is rejected.
I think that's because the variables that are sent over to mySQL do
so in single quotes and the single quote looks like the end of that
particular field assignment. mySQL then has a hiccup when it runs into that.

But, if users put backslashes in front of
the single quotes (in the HTML form), it works great and record in inserted/updated fine.

However, if I can find a way for PHP to automatically input a backslash into the array generated by the user's actions where ever there is a single quote,
then the user won't have to worry about it.

My broken code is below.

Questions:

1) What am I doing wrong (other than trying to be a programmer ;-)?

2) What would you do?

3) Do you know of any other characters I should either: backslash due to possible errors like this
or strip out for security reasons? How would you recommend
I do this. I imagine I should probably backslash the backslash
character, just to be safe, but are there others too?

I have tried creating a function (see below) that accepts an array
as a parameter and then passes the "fixed" array back. But
it doesn't seem to be working.

Help!!!! I owe you one if you can offer any insight.

My unworking code:

function backslash_add ($array) {

for ($array_key = 0; $array[$array_key]; $array_key++) {

	$cleaned_field = ereg("\\","\\\\",$array[$array_key]);

	$cleaned_field = ereg("\'","\\'",$array[$array_key]);

	// The echo below is just for debugging purposes

	echo $array[$array_key];

}

return($array);

}

// Then the function is called when an insert into the mySQL db
// is needed. The $arr_request array holds the key/value pairs
// from the HTTP post or get (whichever is used). This processing
// has already occurred by this point.

if ($arr_request['action'] == 'insert') {

// Add backslashes via the backslash_add
// function

$arr_request = backslash_add ($arr_request);

// after this the $arr_request array is sent to mySQL
// and so on......

}

yelvington

See the manual pages that document addslashes(), stripslashes(), and the magic_quotes_gpc configuration setting.

Anon

Thanks. Sadly, I'm on an ISP that does not allow magic_quotes_gpc (I originally wanted to use phpMyAdmin, now I'm writing my own version).

I'll look into addslashes() and stripslashes().

Let me know if you or anyone else has any thoughts on the specific code I sent, only because that constructive feedback will help me (a very green newbie).

Regardless of that though, thanks for your help!

Anon

Okay, the addslashes() and htmlentities() functions will probably do the trick perfectly between them.

However, I'm still unclear on this very basic issue:

How do I parse and modify each value of an array?

Users will submit an HTML form that has multiple fields. These are eventually deposited in an array where the keys are the original INPUT NAME="foo" names. Thus, I want to parse the values in this array ($array[foo], $array[bar], .....).

I guess that's my main issue: how to parse EVERY value in an array (not the keys of course). Ideally, I want this to be in a function I can call. I assume I'd just pass the array to the function and then return the "fixed" array.

Thanks for your help on this already; thoughts?

yelvington

See array_walk() in the manual; it may do what you need. It applies a function whose name you specify to each element of an array.

Anon

You're my hero.

Here's the finished function that I'm using, in case anyone else is interested. I use this function on the array of values which come from an HTML form and then put the values into a mySQL record. Seems to work like a charm.

function clean_input_text($array_for_cleaning) {

// This function works great! It takes an array, fixes
// the slashable characters and other special characters
// and also removes any HTML or PHP commands.

reset ($array_for_cleaning);
while (list ($key, $val) = each ($array_for_cleaning)) {

	$array_for_cleaning[$key] = strip_tags($array_for_cleaning[$key]);


	$array_for_cleaning[$key] = htmlentities($array_for_cleaning[$key]);


	$array_for_cleaning[$key] = addslashes($array_for_cleaning[$key]);
}