article script

teenlife_org_uk

I am making my own article script at the minute, it's the first thing I have tried to write in php (have no other previous coding experience either), and I had over looked something. When someone enters ' or " or all of those things that cause problems when they are tried to be passed through the sql query, they get messed up. How can I get these to be made into a form that they do not interfere with the upload, and then if required, how do i revert them back when downloaded from the database so that they are viewed correctly in the browser?

swr

Suppose you have a variable called $foo that may contain various SQL-like stuff. Do this:

$foo = mysql_escape_string($foo);
mysql_query("select * from table where foo = '$foo'");

You'll note there are single quotes around $foo in the SQL query. This tells MySQL where the string starts and ends.

The [man]mysql_escape_string/man bit handles single-quotes inside the string itself, prefixing them with backslashes. That way if you have a string like "isn't" then your query will look like this:

select * from table where foo = 'isn\'t'

The backslash lets MySQL know that the quote that follows is part of the string, not the end of it.

You may already have backslashes in the string, if the "magic quotes gpc" setting is enabled (it is by default).

I prefer to turn off magic quotes, and then use a database abstraction layer that supports placeholders (I use my own, though PEAR does support placeholders).

It you don't do it right, it is actually a security vulnerability. Google for "sql injection" for more info.

teenlife_org_uk

When I then strip this from the database and echo it, do i need to do anything else with it?

teenlife_org_uk

maybe if you have a look at teenlife and use the username test and password demo you will see what is going wrong. Go ahead and try to send an article through it.

first of all the article gets posted, using a form, then previewed but nothing should be being done to the article, but it appears to be, then posted onto the submit part, then I am just using a simple sql query to insert it into my database and the variables which were posted to the page are echoed.

teenlife_org_uk

Thanks for the help there, that got me sorted out, found another little thing I had done wrong in my script. Got it all working now, just going to heed that advice and make my script a little more secure from those attacks.

Thanks
David