submssion problem

raffael3d

I made a form where a user can submit an entry for the database.
it works great, but always when the text includes tags like ', " or similar things it doesn't work.
what can I do? I want to make it work also if a user adds such tags.
when the user has such a tag in his text and the text is submitted nothing is entered into the database.

mmilano

can you post an example of your sql query?

piersk

It sounds like its taking the " and ' as ends to the quotes and so you are getting syntax errors.

Try using the addslashes() function. http://www.php.net/manual/en/function.addslashes.php gives details of how to use this.

raffael3d

ok here is my code. where do I have to place the code which replaces the tags?

<?
// checks if all the fields contain data

if (!$url) {
$Msg.="- Target URL ";
}
if (!$text) {
$Msg.="- News Text ";
}
if (!$title) {
$Msg.="- News Title ";
}
if (!$users_file) {
$Msg.="- Image ";
}
if ($Msg) {
echo "The data couldn't be submitted. You didn't insert data in the follwing fields: 
 
$Msg Go back back and try again";

}

else {

if (isset($users_file)) {
echo "Remote File Name: $users_file ";
echo "Local File Name: $users_file_name ";
echo "Local File Size: $users_file_size ";
if (isset($users_file_type)) {
echo "Local File Type: $users_file_type"; }

// Change $doc_directory to your 'DocumentRoot'.
$doc_directory = "/home/xsibase.com/www/";
$my_file = "news_images/" . time() . "_" . $users_file_name;
$copy_path = $doc_directory.$my_file;

if ($users_file != "none") {
if(!copy($users_file, $copy_path)) {
echo "File upload failed!"; }
else { ?>Upload Complete.
<? } }
else { echo "You must select a file to upload!"; ?>
<A HREF="<? echo $PHP_SELF; ?>">Back</A> to the Upload Form
<? } }

$username="x";
$password="x";
$database="x";

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO news (picture_name,url,title,text) VALUES ('$my_file','$url','$title','$text')";

mysql_query($query);

mysql_close();
echo "<a href='http://xxx.net'> view result! </a>";

piersk

Originally posted by raffael3d
$query = "INSERT INTO news (picture_name,url,title,text) VALUES ('$my_file','$url','$title','$text')";

Add this just before the above code:

 
addslashes($my_file);
addslashes($url);
addslashes($title);
addslashes($text);

That SHOULD work.

raffael3d

thanks everybody
the solution is:

$url = addslashes($url);
$title = addslashes($title);
$text = addslashes($text);

jayant

actually you need to use addslashes() only if you have magic quotes off. If magic quotes are on, slashes get added automatically. and so if you add slashes , they get doubled.

KoshNaranek

Ohh... that are "magic quotes" 😉
I was wondering, why on my linux-box the "INSERT INTO.... VALUES('$a'.....) is working

"Wieder was gelernt" 😉

raffael3d

so far it works great. but here is another problem:

I made that a user can edit the content. now there not the whole content shows up. if the user add the text: tom's house it will be displayed correctly everywhere, except when he wants to edit it. in the edit page, where you have the text fields and the already inserted text is only shows: tom
the rest after the ' is missing. ok I added the following script to the page, what is wrong? I used stripslashes, but it doesn't work.

$result = mysql_query("select * from news where id=$choose");

$id = mysql_result($result, $i, "id");
$title = mysql_result($result, $i, "title");
$text = mysql_result($result, $i, "text");
$url = mysql_result($result, $i, "url");

$url = stripslashes($url);
$title = stripslashes($title);
$text = stripslashes($text);

then "echo" all the text fields etc.

jayant

Use echo htmlspecialchars($variable_name);

See documentation about htmlspecialchars() .

raffael3d

thanks! I tried it but didn't work. where and how do I have to place them in the code below? can you help? here is my code:

$result = mysql_query("select * from news where id=$choose");

$id = mysql_result($result, $i, "id");
$title = mysql_result($result, $i, "title");
$text = mysql_result($result, $i, "text");
$url = mysql_result($result, $i, "url");

$url = stripslashes($url);
$title = stripslashes($title);
$text = stripslashes($text);

........

echo "<input name='title' size='75' value='$title'>  Maximum 57 characters.";

jayant

either use:
$text = htmlspecialchars(stripslashes($text));
instead of
$text = stripslashes($text);

echo "<input name='title' size='75' value='".htmlspecialchars($title)."'>  Maximum 57 characters.";
instead of
echo "<input name='title' size='75' value='$title'>  Maximum 57 characters.";

raffael3d

thanks a lot! but........still not working. it still happens the same thing:
in the text where the ' appears the text stops.
but on the front page of the site it works perfectly. I tried several things, somethings even nothing appeared or like it is now, just the word before the ' in the text. sorry, but is there any other solution or cause for the problem?
thanks for all your help and input so far.

raffael3d

ok my code so far now is:

$result = mysql_query("select * from news where id=$choose");

$id = mysql_result($result, $i, "id");
$title = mysql_result($result, $i, "title");
$text = mysql_result($result, $i, "text");
$url = mysql_result($result, $i, "url");

$url = htmlspecialchars(stripslashes($url));
$title = htmlspecialchars(stripslashes($title));
$text = htmlspecialchars(stripslashes($text));

echo "<input name='title' size='75' value='".htmlspecialchars($title)."'>__Maximum 57 characters.";

piersk

Originally posted by raffael3d
ok my code so far now is:
$result = mysql_query("select from news where id=$choose");

try:

$result = mysql_query("select * from news where id='$choose'");

dannys

Originally posted by piersk
try:
$result = mysql_query("select * from news where id='$choose'");
[/B]

If id is defined as a numeric field then it shouldn't have quotes around it.

piersk

Originally posted by dannys

If id is defined as a numeric field then it shouldn't have quotes around it.

If it IS defined as a numeric field, then surely it still wouldnt hurt to have the quotes, would it?

dannys

It can cause harm in certain situations

Consider an example id field in a db - an int(8) Zerofill.

So an record might have the id of 00000001

my $id=1; (for whatever reason, maybe it's been munged by some data process)

$result = mysql_query("select * from news where id=$id");
//This will work

$result = mysql_query("select * from news where id='$id'"); 
//This won't as there are no records with an id of '1' only 00000001

Ok, so it may not happen very often - but when it does, it can be darn difficult to track down - and quoting ints certainly isn't going to have any beneficial effect.

raffael3d

no it's not a problem, I also tried it. the problem has nothing to do with the ID , but how it displays the data from mysql.

here is my code:

$id = mysql_result($result, $i, "id");
$title = mysql_result($result, $i, "title");
$text = mysql_result($result, $i, "text");
$url = mysql_result($result, $i, "url");

$url = htmlspecialchars(stripslashes($url));
$title = htmlspecialchars(stripslashes($title));
$text = htmlspecialchars(stripslashes($text));

echo "<input name='title' size='75' value='".htmlspecialchars($title)."'>__Maximum 57 characters.";

but in the text field content which has ' or " does not appear, why?

siwis

What purpose are your " and ' serving??????

unless the field contents are html (which requires the " char, you should ideally replace all "chars to "

$field = str_replace("\"", """, $field);

(Never quite worked out how to work the same magic on the apostophe!