PHP Special characters

Anon

Ok, I am sarting to go nuts trying to figure this out.

I have an HTML form that inputs a text field from the user. It then takes this text field and puts it into a MySQL varchar field. Then it reads the varchar field and prints it.

Now everything is fine and dandy except for the special characters. I have tried various PHP functions like addslashes, stripsashes, and addcslashes but I can't get it to quite work.

For debugging purposes I have my form field echo its value on submission in PHP. The form action is $PHP_SELF. As expected, the special characters are preceded by a \ character, so ' is \'

Unfortunately, that is where it breaks... I don't know if it is a MySQL problem I am having or a PHP problem but I figured I would start here.

brandonschnell

1) what is the error message

2) post a simple example of the source that you're using.

Anon

Ok..

My form is as follows:
printf ("<form name=\"chatform\" method=\"get\" action=\"$PHP_SELF\">");
printf ("<input type=\"text\" size=\"50\" maxlength=\"140\" name=\"message_formvar\">");
printf ("<input type=\"submit\" name=\"submit_formvar\" value=\"Send Message\">");
printf("</form>");

In the same page I have:
if ((($submit_formvar) || ($message_formvar)) && ($message_formvar!=""))
.... I have a onliners queue that holds 20 rows. So when someone submits a oneliner, this if-then statement also reads the entire queue into a temporary array, appends the new one liner, and then goes through the entire array, one row at a time, and executes this:
$sql="INSERT INTO oneliners VALUES ('$message_formvar','$ses_uid')"; <--to be referenced as command 1 later on

$ses_uid is a session variable containing an integer representing the username.

Then I have another page display all the one liners simply by "SELECT oneliner FROM oneliners" and I go through the queue printing each row one at a time. Now, I have the display page autorefresh every 20 seconds so it displays a current list.

All standard characters are handled fine but the funky stuff breaks my code. If I have a one liner that is a single apostrophe, then everything is fine. However, the next one liner that is submitted causes my command 1 to give me SQL error number 1064 with the error mesage: You have an error in your SQL syntax near '''')' at line 1

I'm sure it is just because I am not formatting the text properly between PHP and MySQL but I cant figure out where to start. All the functions I tried haven't quite worked.

brandonschnell

echo out the sql command before running it so you can see exactly whats being sent to the db

are you calling addslashes() before tossing the variables into your INSERT command?

$message_formvar = addslashes($message_formvar);
$sql="INSERT INTO oneliners VALUES ('$message_formvar','$ses_uid')";

Anon

ok, i echoed out all my sql commands.

without addslashes and with:

$sql="INSERT INTO oneliners VALUES ('$message_formvar','$ses_uid')";
echo $sql;

if I put the letter a in the textfield named $message_formvar i get:
INSERT INTO chatqueue VALUES ('a','13')
so that is just fine

if i put in an apostrophe ' i get:
INSERT INTO chatqueue VALUES ('\'','13')

if I use an addslashes function on $message_formvar first:

$message_formvar=addslashes($message_formvar);
$sql="INSERT INTO oneliners VALUES ('$message_formvar','$ses_uid')";
echo $sql;

If I put in the letter a I get the same as before:
INSERT INTO chatqueue VALUES ('a','13')

If i put in a single apostrophe I get
INSERT INTO chatqueue VALUES ('\\'','13')

Anon

Ack.. my bad

I use the same structure for both a PHP oneline program and a chat program. I acidentally grabbed from both. Regardless my codes is exactly the same.

So when my previous post has the table name "chatqueue" consider it saying "oneliner".

Sorry for the confusion. Thats what I get for having too many editors open at once.

Anon

Brandon, thanks for your help. I didn't think abotu echoing out my SQL commands to see what they were sending. This is actually my first attempt at writing a program in PHP or MySQL.

I found the problem and it was elsewhere. It was in another page. After all the oneliners are put into the oneliner queue, I have another page that displays them. The display page reads in the queue, appends the new oneliner, and then rebuilds the queue table without the first one. The problem was when I was reading from the MySQL table I wasn't modifying the data at all, so I read a single apostrophe and it wasn't escaped. I added a line $message=addslashes($message) and that fixed everything.

Thanks for the assist.