getting rid of these quotes

letsgo77

Hey guys,

It seems simple what I am trying to do, but the quotes keep interfering. I know there are easier ways to accomplish what I'm trying to do, but just trying to learn.

Here is a simple query:
$query = "update users set images=\"$POST[images]\", hidden=\"$POST[hidden]\" where id=$id";

I want to input the fields so the query becomes:
update users set images="1", hidden="0", is_admin="1" where id=$id";

The info is input by an html form:
images= 1
hidden= 0", is_admin = "1

when I put quotes into the html form, it automatically adds the slashes. How to get around this? Should I input it differently?

bpat1434

What do you mean?

Do you mean that when you output it you get:
\"1\"

Or, do you mean that the quotes break your SQL syntax?

When I do SQL stuff, I usually use this syntax (using your example as a model):

$query = 'update users set images="'.$_POST[images].'", hidden="'.$_POST[hidden].'" where id=$id';

It's just a suggestion. If you're having problems with slashes, try implementing:

stripslashes()

~Brett

letsgo77

Brett,

Thanks for your help. A friend was trying to prove to me someone could easily do a sql injection on this sql statement. I tried to use the stripslashes on the html form input, but it still showed the . Is there anyway possible that someone could input something on the input for $_POST[hidden] where it will also update a field called is_admin if the $query was like I had it originally? Sorry if this is difficult to understand. It is very hard to articulate. I know I can easily change the $query, but I've been racking my brain out how someone would do that by posting info to the script.

liquorvicar

your friend is correct, using $POST data directly in an SQL query could be dangerous.
why don't you try something like this:

$images = intval($_POST['images']);
$hidden = intval($_POST['hidden']);
$query = "update users set images='$images', hidden='$hidden' where id='$id'";

laserlight

It seems simple what I am trying to do, but the quotes keep interfering.

That's probably because the magic_quotes_gpc setting in php.ini is on, causing your get/post/cookie data to be escaped before entering your script.
This is a Good Thing here since it makes SQL injection more difficult, but unfortunately for certain database systems escaping with backslashes may not work.