I'm a little confused when to use addslashes function. What I need.... I've created a form to send text to a mysql db and code to upload pictures to my webserver and send the URL to be stored in my database along with the other text in the form. Where I think I need addslashes is in the description (describing trailers) my end user needs to put feet and inches ' " for the trailer lengths. I know they could use full names but they wouldn't be able to enter don't etc.

If I enter a \ before the special character (don\'t) it takes it fine so I believe I'm on the right track.

Am I totoally confused here? I know that I could put in validation that would tie the users hands and make them NOT enter similiar characters but I don't want to. Here's the code that I've tried. If you have any info please let me know.

<?php
echo ("<p>Name of photo you uploaded: $photo_name</p>");
//echo ("<p>photo: $photo</p>");
echo ("<p>photo_size: $photo_size</p>");

//print "<p><center><a href="http://trailerworldok.com">Click here to go back to the Home Page</a><center></p>";
//print "<p><center><a href="http://trailerworldok.com">Click Here to add another Trialer</a><center></p>";

//Connect to the MySQL server
mysql_connect('localhost','****', '****');

//Select the database
mysql_select_db('q302');
if (! @mysql_select_db("q302") ) {
echo( "<p>Unable to locate the q302 " .
"database at this time.</p>" );
exit();
}

//checks if the input is filled. could use $photo != "none".
if($photo_size){

//Checks for file type:
$ext=substr($photo_name,-4);

//strcasecmp used for .jpg <> .JPG
if (strcasecmp($ext,".jpg") || strcasecmp($ext,".gif") || strcasecmp($ext,".bmp")){

//Saving the photo:
if(is_uploaded_file($photo)){
$photoFile = "photos/$photo_name";
move_uploaded_file($photo, $photoFile);
echo "picture uploaded to $photoFile";
}

$DESCRIPTION = addslashes($DESCRIPTION);

//----------------------
$sql = "INSERT INTO trailerworldok SET
trailer_id = '$TRAILER_ID',
trailer_type = '$TRAILER_TYPE',
make = '$MAKE',
model = '$MODEL',
description = '$DESCRIPTION',
price = '$PRICE',
photo_file ='http://trailerworldok.com/$photoFile'";
if (@($sql)) {
echo("<p>Your pic link has been added to the database.</p>");
echo("<p><a href=http://trailerworldok.com>Click here to go back to the Home Page</a></p>");
echo("<p><a href=http://trailerworldok.com/inv/tw_upload.html>Click Here to add another Trialer</a></p>");
} else {
echo("<p>Error adding submitted trailer: " .
mysql_error() . "</p>");
}

//-----------------------

}

//error msg, non valid extention:
else
die("file type non valid, use .jpg, .gif or .bmp");
}

//the HTML form <input type="hidden" name="MAX_FILE_SIZE" value="2000000">
//sets $photo_size to 0 if the file > 200k
else if($photo_name != "" && $photo_size == "0")
die("size file must be smaller than 200k");

else
echo "no file selected";

?>

    and where is the problem?
    can't you run the script with addslashes??
    there is another function, htmlspecialchars() , which does the same thing as addslashes, but includes all other "dangerous" chars like "<, &, > " etc.

      well the problem is even though I have addslashes function assigned to my description on the form if I enter we'll or don't or anything with ' or " it will not allow it???? That's my question am I using it wrong?

      Thanks for the reply. This forum is great!

        waht you have done is right, adding addslashes() before inserting the value to databases avoids problems, but beside that, it's better to use htmlspecialchars, so that the html tags, which is the value you want to insert to the db, wont be interpreted as html tag

          Write a Reply...