Posting notes with single quotes gives error

JasonSims

I am still figuring out PHP and I now know that I need to use the mysql_real_escape_string() in some way. The problem is, I cannot figure out how to use it. My code is as follows:

<?php

session_start();

if(!isset($_SESSION['username'])){
    header( 'Location: loginform.html' );
}

require('db.php');


   $query_client_ID = sprintf("SELECT client_ID FROM clients WHERE username='".$_SESSION['username']."'",
                mysql_real_escape_string($username));
   $client_ID = mysql_query($query_client_ID);


$client_ID = mysql_fetch_array($client_ID);
$client_ID = $client_ID['client_ID'];

if (isset($_POST['Submit'])) { // if the form has been submitted
    if ($_POST[message]!="") { // if the message isn't blank
        mysql_query("
            INSERT INTO noteboard(`client_ID`, `date`, `message`)
            VALUES('$client_ID', CURDATE(), '$_POST[message]')
        ") or die(mysql_error());

}
} 

// Displays all current notes

$query = sprintf("SELECT * FROM noteboard WHERE client_ID='".$client_ID."' ORDER BY date",
				mysql_real_escape_string($client_ID));
$getNotes = mysql_query($query);

while($row = mysql_fetch_array($getNotes, MYSQL_ASSOC)){
    echo "Posted by " . $_SESSION['username'] . " on " . $row['date'] . "<br /><p>"
	. $row['message'] . "</p><hr />";
}


?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>

<form action="noteboard.php" method="post">
<h3>Message:</h3><br />
<textarea name="message" cols="30" rows="10"></textarea><br />
<input type="submit" name="Submit" value="Submit" /></form>

</body>
</html>

Any help would be greatly appreciated!

dagon

you only need it to sanitise string input into the db, so in your case:

$_POST['message']=mysql_real_escape_string($_POST['message']);

before the insert query

JasonSims

Thank you so much! What a simple solution.

bradgrafelman

Some other comments...

When posting PHP code, please use the board's [noparse]
```
..
```
[/noparse] bbcode tags as they make your code much easier to read and analyze.
This code:
```
   $query_client_ID = sprintf("SELECT client_ID FROM clients WHERE username='".$_SESSION['username']."'", 
                mysql_real_escape_string($username)); 
```
isn't using [man]mysql_real_escape_string/man at all in the SQL query. Read the manual for [man]sprintf/man to learn how it's used; you're supposed to use placeholders (e.g. %s for a string) in the format string which will later be replaced with the 2nd, 3rd, etc. arguments.
Speaking of the above query, wouldn't it be a lot simpler/more efficient to simply store the 'client_ID' value in the session?

You have the same problem with sprintf() here too:

$query = sprintf("SELECT * FROM noteboard WHERE client_ID='".$client_ID."' ORDER BY date", 
                mysql_real_escape_string($client_ID))

Once you learn how to use sprintf() properly, note that if client_ID is a numeric value, then you should be treating it as such. What that means is that you shouldn't surround it with quotes in the SQL query and you shouldn't use mysql_real_escape_string/b to sanitize it either.

If it's an integer, for example, you could use %d or %u in the sprintf() format string to force it to be cast as an integer (signed or unsigned). That way, no further sanitization would need to be done on your part.

JasonSims

Thank you for the tips. I will be sure to post PHP correctly in the board from now on. And I don't the escape strings like that in the page. I was experimenting trying to see what I needed to do and forgot to remove the excess before I posted. Thank you again for the explanation.