' Problem.

Magneto

Form Parser:

<?php
    $name = $_POST[name];
    $description = $_POST[description];
    $download = $_POST[download];
    $author = $_POST[author];
    $category = 1;

mysql_connect($dbhost,$dbuser,$dbpass) or die($error[dbserver]);
mysql_select_db($jkdb) or die($error[db]);

$query = "INSERT INTO files VALUES ('', '$name', '$description', '$download', '$author', $category);";

mysql_query($query) or die($error[fileadd]);

mysql_close();
?>

OK guys, I'm having a bit of trouble using ' in forms. If I include ' in any form input type, the script dies here:

mysql_query($query) or die($error[fileadd]);

I know this is because ' interferes with the query. Does anyone have a possible solution? 🙂

jansky

die($error['fileadd'])
add single quote
and also there is missing quote in your post
$name = $POST[name];
should be
$name = $POST["name"];

Drakla

http://www.webmasterstop.com/63.html

jansky

to avoid backslashes you can use
stripslashes() function
$name = stripslashes($_POST[name]);

example
$name="jan's name";

echo stripslashes($name);
result jan's name

or just follow what draka's link

Logic_Rules

"INSERT INTO files VALUES ('', '$name', '$description', '$download', '$author', $category);";

I don't think two semicolons at the end of this line will work.

jansky

did you ever tried it?

Drakla

The trouble is - which is stated in the link I posted - you NEED slashes to put quotes into a database query. Stop being so lazy and go D.A.F.T