I haven't read through all the post, but it seems like you should use [man]mysql_real_escape_string[/man] to solve this problem.

Piranha wrote:

I haven't read through all the post, but it seems like you should use [man]mysql_real_escape_string[/man] to solve this problem.

Yes, I've read up a bit and I reckon [man]mysql_real_escape_string[/man] is the command I need to use. The only problem is that I don't know how it would fit into the coding that I have above?

Addslashes is fairly simple.

addslashes($variable);

I'm fairly new to PHP, so I may be way off base here, but will this work?

$query = "UPDATE $table SET ";
while (list ($key, $value) = each($getArray)) {
	$query .= " $key = ".addslashes($value).",";
}

I would think that mysql_real_escape_string would work the same way.

$query = "UPDATE $table SET ";
while (list ($key, $value) = each($getArray)) {
	$query .= " $key = ".mysql_real_escape_string($value).",";
}

Neither work.

The addslashes does nothing and the real escape string brings up a load of error messages.

addslashes is a really bad way of doing it since it is not suited to any database. It will cause problems in the database.

I will post an example how you can use it in a few minutes, at the moment I'm kind of busy.

This goes to the _get array, cleans the values (turns ' into & value, and then initiates the variable with that cleaned value. Great for your M'c Slash/ies

foreach($_GET as $key => $value){
	    //stripslashes(trim($value));
	    $value = preg_replace('!\\\\+|/+!', '', $value);
	if(!isset($$key)){ 
		$$key =htmlspecialchars($value, ENT_QUOTES);
	};
};

You can start here, but you should add an array of permitted values and forbidden values.

the !isset is to avoid overwriting php core values. this can also be modified to handle arrays in the url differently.

Also, you might have trouble outputting to pdf or database dumps later, but I just clean on output

The easiest way is probably to first set it with mysql_real_escape_string and then insert in the query. Something like this:

case "UPDATE":
$query = "UPDATE $table SET "; // I have no idea where $table comes from, maybe it is needed here as well.
while (list ($key, $value) = each($getArray)) {
$query .= " $key = '$value',";
}
$query = ereg_replace(",$","",$query);
if(isset($getArray['itemID'])){
$itemid = mysql_real_escape_string($getArray['itemID']); // Note the ' signs for the name in the array.
$query .= " WHERE itemID = '$itemid'";
}elseif(isset($getArray['id'])){
$id = mysql_real_escape_string($getArray['id']);
$query .= " WHERE id = '$id'";

You can do it with [man]sprintf[/man] and a few other ways as well. But this is probably the easiest way.

Thanks Piranha, but it doesn't seem to be working. It doesn't update the database at all now.

Please post the resulting query here within [php ] [/php ] tags (without the spaces) and I'll check if something seems to be strange.

Do you have a .htaccess file in your web directory? If so then you can turn magic quotes on just for your application. Better in the long run to just fix your code but a simple setting might be all you need.

Might try something like this

    function update($tableName,$keyName,$data)
    {
        // Build set list
        $set = '';
        foreach($data as $name => $value) {
            if ($name != $keyName) {
                if ($set) $set .= ', ';
                $set .= $name . ' = ' . mysql_real_escape_string($value);
            }
            else $keyValue = mysql_real_escape_string($value);
        }
        $sql = "UPDATE {$tableName}\nSET {$set}\nWHERE {$keyName} = {$keyValue};";
    }

It's a modification of a routine I use. Might need a syntax tweak or two. But all you need is an array of the data to be updated along with the table name and primary key name.

Do you use mysql_real_escape_string on the title? You should use it on every variable you use in every query to the database. And are you sure that you use the returning value from that in the query. Can you please show that piece of code as well, then we can try to spot any error.

By the way, do not set magic quotes on. They are like addslashed in the scence that it is far to general and messes things up more than it helps.

case "UPDATE":
		$query = "UPDATE $table SET ";
		while (list ($key, $value) = each($getArray)) {
			$query .=  " $key = '$value',";
		}
		$query = ereg_replace(",$","",$query);
		if(isset($getArray['itemID'])){
			$itemid = mysql_real_escape_string($getArray['itemID']);
			$query .= " WHERE itemID = '$itemid'";
			//$query .= " WHERE itemID = '$getArray[itemID]'"; #this is the original coding for this piece instead of the 2 lines above it
		}elseif(isset($getArray['id'])){
			$id = mysql_real_escape_string($getArray['id']);
			$query .= " WHERE id = '$id'";
			//$query .= " WHERE id = '$getArray[id]'"; #this is the original coding for this piece instead of the 2 lines above it
		}
		echo $query; # this brings up the query I demonstrated above
	break;

I have used the coding you have provided above.

You have to use it in the while-loop as well. And you miss one line. I did not try to do the coding for you, just to show how it could be done.

Piranha wrote:

You have to use it in the while-loop as well. And you miss one line. I did not try to do the coding for you, just to show how it could be done.

Thanks for helping me out this far. I just need that bit more help to get the coding working for me. I'm pretty new to this game as I'm primarily a designer come flash developer, but have been involved in a good few php/mysql content managed sites, although I've been using generic code thus far...and have now come across this problem with magic quotes (which I believe is being scrapped in the next version of PHP).

Any help is gratefully appreciated.