Help Me please.... I'll Give u A Cookie!

Anon

im sorry for posting this message again but i still need help and kai's help was vague so if u could, could u change my code and paste the code with the changes please?? heres the message again...:

hi.. I need help.. I'm using phpMyGuestbook and it uses php and mysql databases... Well i got it all working but the problem is that when someone tries to sign it with an aposterphy ' it will not work... It has something to do with addslashes and stripslashes but i dont know much about php language. Im gonna copy and paste the php source on here and can u guys tell me what to put and where to put it... Or better yet just paste the whole thing so i can just copy and paste it and save it??? please help me... thanx... Heres the source..:

<?php

phpMyGB: A Free guestbook for your site.
Copyright (C) 2001 Mike Mullis

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

<?php require("./config.inc.php");

$sign_date = date ("l F d, Y h:i A");
if (isset($name) && // Insert values and confirm.
isset($email) &&
isset($url) &&
isset($comments)) {
mysql_connect("$db_host", "$db_user", "$db_pass") or die("Unable to connect to MySQL server");
$query = "INSERT INTO $db_table VALUES ('$name', '$location', '$email', '$icq', '$aim', '$yim', '$url', '$comments', '$sign_date', '$ID')";
$result = mysql_db_query("$db_base", $query);

if ($result) {
echo "<TABLE width=\"100%\" bgcolor=\"#e7e7e7\">";
echo "<TR>";
echo "<TD>";
echo "" .
"<center>Thanks $name <br>Your comments have been posted.";
echo "<A HREF=\"$gb_url/?time=(time())>\">" .
"";
echo "[Back to guestbook]</A></center>";
echo "</TD>";
echo "</TR>";
echo"</TABLE>";
}
} else { // If nothing is submitted, present form.
$signed = "true";
echo "<TABLE width=\"100%\" height=\"100%\" bgcolor=\"#e7e7e7\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">";
echo "<TR>";
echo "<TD>";
echo "<CENTER>";
echo "<FORM method=post action=$PHP_SELF>";
echo "<TABLE border=0 width=\"250\">";
echo "<TR>";
echo "<TD align=right>";
echo "Name: <INPUT type=text name='name'> <br>";
echo "Location: <INPUT type=text name='location'> <br>";
echo "Email:<INPUT type=text name='email'><br>";
echo "ICQ #:<INPUT type=text name='icq'><br>";
echo "AIM:<INPUT type=text name='aim'><br>";
echo "YIM:<INPUT type=text name='yim'><br>";
echo "http://<INPUT type=text name='url'> <br>";
echo "</TD>";
echo "</TR>";
echo "</TABLE><p></p>";
echo "Comments:<br>";
echo "<TEXTAREA name='comments' ROWS=10 COLS=40></TEXTAREA><br>";
echo "<INPUT type=hidden name='ID'>";
echo "<INPUT type=hidden name='sign_date'>";
echo "<INPUT type=submit>";
echo "</FORM>";
echo "</CENTER>";

}
?>

</TD>
</TR>
</TABLE>

</tr>
</td>
</table>

</tr>
</td>
</table>
</center>

</tr>
</td>
</table>

inlandpac

$query = "INSERT INTO $db_table VALUES ('$name', '$location', '$email', '$icq', '$aim', '$yim', '$url', '$comments', '$sign_date', '$ID')";

The line above can easily be modified to:

$query = "INSERT INTO $db_table VALUES ('".addslashes($name)."', '".addslashes($location)."', '".addslashes($email)."', '".addslashes($icq)."', '".addslashes($aim)."', '".addslashes($yim)."', '".addslashes($url)."', '".addslashes($comments)."', '".addslashes($sign_date)."', '".addslashes($ID)."')";

This adds a backslash '\' to all reserved characters such as " and ' to name just two.

' and " especially are treated as terminations so in the INSERT statement, the query would be terminated abnormally and an error would occur.

Hope this helps.

Anon

YAY THanx man your the coolest.. Heres ur cookie..

jcornett

You can use variable variables to do the same thing and not have to retype the addslashes in your query string for every variable:

/ This makes all POST type form input database safe /
Reset($HTTP_POST_VARS); // Change to $HTTP_GET_VARS if you need that instead
While(List($key, $val)=each($HTTP_POST_VARS)) {
$$key = addslashes($val);
}

Put this code at the top of any page that inserts data into a database via form input, and you'll know that it will be safe for insertion. Of course, if you have Magic Quotes turned on, that changes things. 🙂

JOhn Cornett

inlandpac

John,

Very true indeed. This is definitely another method, but can lose the level of control you might desire if you want to spit the data back to the user via a browser or even forms. you would have to reverse this, thus writing as more code than necessary.

This is by all means a wonderful way of ensuring slashes being added to data that won't be used for anything but inserting into a database.

jcornett

Well said, and I agree. 🙂

John Cornett

Anon

yes thankyou guys for the support but i need help with another thingy please read my other post... its entitled mysql database! text limits or something like that.. Thanx..