[RESOLVED] apostrophes in form input fields

sig

I have form fields that are used as input to populate a database table using INSERT. I get 'sql syntax error' in connection with apostrophes in form input fields but in a very inconsistent way. Some INSERT sql doesn't seem to mind the
apostrophes. Then again other times, I'll get the 'sql error' message.

Anybody have any suggestion. Thanks.

laserlight

You probably have magic_quotes_gpc on. Turn it off. If you are unable to change the configuration, then apply [man]stripslashes/man conditionally based on [man]get_magic_quotes_gpc/man, then escape the string input normally before insertion into the database.

sig

thank you 'laserlight'; before I looked at the magic quotes setting, I tried the following code on the input fields and it solved the problem:
$input_field1=htmlentities($_POST['fieldA'], ENT_QUOTES);

you were right though, magic_quotes_gpc was set 'on'.

laserlight

before I looked at the magic quotes setting, I tried the following code on the input fields and it solved the problem:
$input_field1=htmlentities($_POST['fieldA'], ENT_QUOTES);

That "works" because it converts single quotes to their HTML escape sequence equivalent. However it is wrong solution, precisely because it encodes special characters in HTML. The solution is as I said: turn magic_quotes_gpc off, or apply stripslashes(). Either way you should still apply the normal escaping, which is not htmlentities(), but say, prepared statements for the PDO extension or mysql_real_escape_string() for the MySQL extension.

db1

laserlight wrote:
You probably have magic_quotes_gpc on. Turn it off. If you are unable to change the configuration, then apply [man]stripslashes/man conditionally based on [man]get_magic_quotes_gpc/man, then escape the string input normally before insertion into the database.

Laserlight, so I am newbie to PHP I don't think I can change magic_quotes_gpc as I am on a shared server. So my issue is I have user's input data in to a form

<tr><td width=10> </td>
<td ><b>Title</b></td>
<td align='left'><input type=text class='bginput' name=title value='Used Boat For Sale at a Great Price!'> <b><font color='FF0000'>REQUIRED</b></font></td>
</tr>
<tr><td width=10> </td>
<td >Boat Details</td>
<td align='left'><textarea name='dtl' rows='10' cols='50'></textarea></td>
</tr>

How do I allow them to use the apostrophes in the form input fields????

db1

hello

db1

Hi Im a newbie with PHP, So Laserlight you said... If you are unable to change the configuration, then apply stripslashes() conditionally based on get_magic_quotes_gpc(),

My issue is that user's input data via a form:
<tr><td width=10> </td>
<td ><b>Title</b></td>
<td align='left'><input type=text class='bginput' name=title value='Used Boat For Sale at a Great Price!'> <b><font color='FF0000'>REQUIRED</b></font></td>
</tr>
<tr><td width=10> </td>
<td >Boat Details</td>
<td align='left'><textarea name='dtl' rows='10' cols='50'></textarea></td>
</tr>

How would I allow user's to input the apostrophe into my form/sql database???

Weedpacket

db1 wrote:
laserlight wrote:
If you are unable to change the configuration, then apply stripslashes() conditionally based on get_magic_quotes_gpc(),

On the [man]get_magic_quotes_gpc[/man] page there is example code for adding slashes if the magic quotes setting is on; your would be much the same, except you'd be removing slashes if the setting is off. So in the if() test in that example, you'd remove the "!", and you'd replace "addslashes" with "stripslashes".

And after that, as laserlight says, you'll need to properly escape the input data, in one of the ways he suggested (PDO or mysql_real_escape_string()).