[RESOLVED] Sql function

futurra

can anyone help?

if (isset($POST['submit']))
{
// A separate sanitise function would be good...
$name=mysql_real_escape_string(strip_tags($POST['name']));
}

mysql_real_escape_string is returning nothing.

I have tested strip_tags that returns a correct value.

rincewind456

What is the problem and what are you expecting from mysql_real_escape_string()

futurra

the sql function is used to help filter a string (name) ie: joe blogs
$name would then store the filtered string

rincewind456

futurra wrote:
the sql function is used to help filter a string (name) ie: joe blogs
$name would then store the filtered string

Surprisingly I know what the functions do, I also know that if you pass joe blogs through mysql_real_escape_string it will appear to do nothing as there is nothing to escape. If you want to see what my_sql_real_escape_sting and strip tags do use this

<?php
set_magic_quotes_runtime( 0 );

if (isset($_POST['submit'])){
	echo 'No escaping outputs: '.$_POST['name'];
	print '<br>';
	$name = strip_tags($_POST['name']);

echo 'Strip tags outputs: '.$name;
print '<br>';
$name = mysql_real_escape_string($_POST['name']);
echo 'Escape String outputs: '.$name;
print '<br>';
$name = mysql_real_escape_string(strip_tags($_POST['name']));
echo 'Escape String and strip tags outputs: '.$name;
} else {
	?>
	<form method="POST" action="<?php $_SERVER['PHP_SELF'];?>">
	<input type="text" name="name" size="30">
	<input type="submit" name="submit" value="Submit">
	</form>
<?php
}
?>

And you still haven't said what the problem is!

futurra

The sql function is used to filter out the string name: ;Joe</*Bloggs etc.

then go to the following loop

if(!$vname )
{
stuff 1
}
else
{
stuff
}

However no value is being stored in $vname so stuff1 is always run.

rincewind456

You'll have to provide more code than that if you expect an answer, and could you enclose your code within

tags to make it easier for us all to see.

futurra

The code is as follows:

if (!empty($_POST)) 
  { 

       if (isset($_POST["vname"])) {
               $vname = $_POST["vname"];
$vnames = strip_tags($vname);
echo "<HTML> checks1: <br>  $vname<br>  $vnames</html>   ";
    // A separate sanitise function would be good... 
$vname = mysql_real_escape_string($vnames); }

$vemail = mysql_real_escape_string(strip_tags($_POST['vemail'])); 
$vurl = mysql_real_escape_string(strip_tags($_POST['vurl'])); 
 if (isset($_POST["vcomment"])) $vcomment = $_POST["vcomment"];
    $vcomment = mysql_real_escape_string(strip_tags($vcomment));
echo "<HTML> check2: <br>  $vname</html>   ";
}


// ERROR - Empty fields
   if (!$vname || !$vcomment) {
 { 
      print "<font color='red'>Name or comment not entered, please go back and sign again</font><br>"; 
    } 
   else 
    { 
    print "<font color='red'>Name entered: $vname  <br>Comments entered: $vcomment</font><br>"; 
}

This is the code i'm testing. It always shows Name or comment not entered.

rincewind456

Right you have one too many curly braces on line 22 but apart from that after having created the form to enter the fields (something you didn't show in your posts) the form works as it should, although I can't see what you would want to print out $vname 4 times .

futurra

Hi
I have tested your script, that you provided in your 2nd post.
I have inputted this value into the form: <html/> ffff<

The output is: No escaping outputs: ffff<
Strip tags outputs: ffff
Escape String outputs:
Escape String and strip tags outputs:

Is this what you would expect to get?

rincewind456

No!

No escaping outputs: ffff<
Strip tags outputs: ffff
Escape String outputs: ffff<
Escape String and strip tags outputs: ffff

is what I get running the script

futurra

I know why mysql_real_escape_string() is returning false now, a mysql connection has to be made first.