addslash nightmares, echo works but not on insert?

darthmahon

Hey,

Ok have a form that addslashes to all post variables sent before they get added to the database.

Here is the code for the form:

<?
// form not yet submitted
if (!isset($_POST['submit'])) {

?>

<form name="form" action="<? echo $PHP_SELF; ?>?module=<? echo $module; ?>&section=<? echo $section; ?>" method="POST">

<p>Name of Category: <Input name="name" size="40"></p>

<input type="Submit" name="submit" value="Submit" class="formsubmit">		

</form>

<? } else {

// get form values
if (!get_magic_quotes_gpc()) {

	// addslashes to all variables if magic quotes disabled
	check_gpc(addslash);

}

// get form values
$name = $_POST['name'];

if (!$name) { $errorList[$count] ='Please enter a name'; $count++; }

// Check to see if category name has already been used before
$sql = "SELECT COUNT(*) FROM tbl WHERE fld_name='$name'";
$result = mysql_query($sql) or die 
//("Error in query: $sql. " .mysql_error())
("There has been an error with your request, please try again later.")
;

// duplicates found
if (mysql_result($result,0,0)>0)
{

	$errorList[$count] ='A category with the same name has already been added, please try another.';
	$count++;

}

// no errors
if (sizeof($errorList) == 0)
{
		// no duplicates, insert data
		if (mysql_result($result,0,0)<=0) {

			$sql = "INSERT INTO tbl SET 
			fld_id='',
			fld_name='$name'";
			$result = mysql_query($sql) or die 
			//("Error in query: $sql. " .mysql_error())
			("There has been an error with your request, please try again later.")
			;

			echo "<p><strong>Category added succesfully. <a href=\"?module=" .$module. "&section=" .$section. "\">Would you like to add another?</a></strong></p>";

		}

// errors found
} else if (sizeof($errorList) > 0)

	{

		// errors occurred
		// print as list
		echo "<p><strong>The following information needs reviewing: </strong></p>";
		echo "<ul>";
		for ($x=0; $x<sizeof($errorList); $x++)
		{
			echo "<li>$errorList[$x]";
		}
		echo "</ul>";
		echo "<p><strong>Please go back and <a href=javascript:history.go(-1) class=\"button\">try again</a></strong></p>";

	}

} // end submitted 
?>

Here is the code for the addslashes function called "check_gpc":

// addslashes function called in check_gpc
function addslash($v) {
	return is_array($v) ? array_map('addslash', $v) : addslashes($v);
}

// call function to all arrays
function check_gpc($type) {
	foreach (array('POST', 'GET', 'REQUEST', 'COOKIE') as $gpc)
	$GLOBALS["_$gpc"] = array_map($type, $GLOBALS["_$gpc"]);
}

Now if I put in the folling to the name box: Chris O'Hara...

In the database I just get Chris O'Hara - BUT, if I echo $_POST['name'] I get Chris O\'Hara?????

Why is it not going in like that into the database? I'm totally baffled...

Any ideas?

Cheers,
Chris

devinemke

Originally posted by darthmahon
Now if I put in the folling to the name box: Chris O'Hara...

In the database I just get Chris O'Hara - BUT, if I echo $_POST['name'] I get Chris O\'Hara?????

Why is it not going in like that into the database? I'm totally baffled...

the whole point of adding slashes to Chris O'Hara to get Chris O\'Hara is so that it goes into the database as Chris O'Hara (without the slash).

darthmahon

Ahhh ok - so am I doing the correct thing? I'm just trying to make sure I am protecting my database from SQL Injection etc...