stripping unwanted characters

nobertos

i am trying to figure out how to strip unwanted characters so that my db queries (inserts and selects) won't get messed up and information will show up properly in my forms.

i have forms on the site i am developing. these forms enter data into the db and also get populated by data from the db. i need a way to provide data integrity.

originally, when something like:

"fred's house"

is submitted by a form, it is saved in the db as fred\'s house. then on an "update" form, the information would be shown as fred\'s house (i think).

so now i use this function on all my POST variables:

$release_date = anti_slash($_POST['release_date']);

function anti_slash($strValue) {
if ($strValue != "") {
$strValue = stripslashes($strValue);
$strValue = str_replace("\"", "", $strValue); }
return $strValue;
}

this doesn't work though, my query now includes the ' in fred's house and the query doesn't have the ' escaped.

what is a fullproof method for dealing with " and ' characters or any others that can mess up your queries?

I have MySQL 4.0.14, Apache/1.3.28 (Unix) mod_throttle/3.1.2 PHP/4.3.4RC1 mod_ssl/2.8.15 OpenSSL/0.9.7a on FreeBSD.

I am also going to need it to work on another server with MySQL 3.23.51, Apache/1.3.26 (Unix) PHP/4.3.4 on Solaris 8.

chris

Drakla

Hiya mate - I keep reading peoples' threads and think "I've just done that!"

Ok basically when you get the data from the forms you have to know whether on your server magic_quotes_gpc is set, if it is then data from forms will have slashes in it. But - data with slashes can be inserted straight into MySQL without you having to escape it. So basically your first check would be for that. Then you have to make sure they haven't thrown anything in with <> type brackets in it, as when you echo it back out to a html page it'll get interpreted as a tag so shove htmlspecialchars into the mix. You can now just echo the data straight to the browser, including form fields and it'll be fine.

if( !get_magic_quotes_gpc() )		
    $catname=mysql_escape_string($catname);

$catname=trim( htmlspecialchars($catname) );

Edit: Oh - then of course you do your insert after that

nobertos

thanks!

i do have magic_quotes_gpc on

so you do both

mysql_escape_string($foo);

and

$foo = trim( htmlspecialchars($foo) );

right before an insert or update call to the database is made, right?

i actually have an 'enter information' form that collects data, POSTs it to a 'success' page where the database calls are made.

my form also acts as a 'change information' page. it has error checking for various fields, etc.

i am trying to figure out where i need to place the code that deals with cleansing the data (both for selection of data for presentation on the form and inserts and updates to the db)

chris

Drakla

Hi - you don't have to do the mysql_escape_string if magic quotes is on, because basically mysql_escape_string does just the same thing as addslashes - and being as gpc is already on you don't need to do that with data you've just received... with slashes.

That's why the not (!) is before the get_magic_quotes_gpc() - only add them if it's not set. The other system you're putting your code in might not have it set, so I put it in to make the code portable.

Phwew, that felt like a gobful, hope it isn't gibberish.