When users post a bulletin for others to see, if they use a single quote they get a sql error message saying near character ' and I imagine if regular quote it would do pretty much the same thing. Am I to somehow add slashes and later remove them?

What I am showing here we are supposively making the posted data safe.
Basically the make_safe function tries to check for certain tags to disallow.

$journal_text=make_safe($HTTP_POST_VARS["details"],TRUE);

    $sql="insert into journal";
    $sql.="(journal_of";
    $sql.=", journal_date";
    $sql.=", journal_time";
    $sql.=", journal_text)";
    $sql.=" values($journal_of";
    $sql.=", '$date_posted'";
    $sql.=", '$time_posted'";
    $sql.=", '$journal_text')";

I imagine the single quotes aren't being escaped. Is there a more secure way to do this or am I on the right track?

    Yeah I just used addslashes and later stripslashes, woohoo

      1. If you're interacting with a MySQL database, it's better to use [man]mysql_real_escape_string/man than addslashes(). Also, note that you should always use this function to sanitize user-supplied data before you use it in a query; otherwise, you're leaving yourself vulnerable to SQL injection attacks.

      2. Also, when retrieving data from SQL, there should be no reason you'd need to use stripslashes(). If you do, check the value of magic_quotes_gpc - ensure that it is OFF.

        Thanks for the response. That's great to hear, except the script I use is enormous and I don't remember ever seeing one single occurrence and basically the social network is one big interaction with the database. :queasy:

          Write a Reply...