|
PHP - Removing Quotations From Submitted Forms
Hi There,
I am putting a form together that when submitted, pumps data in to an SQL DB. However I am having problems with quotation marks - for example, it's and her's and thier's cause an error, because the insert statement takes the quote as the end of the row. How can PHP handle this so that it either removes, or replaces that quote? Thanks Matt Similar TutorialsHi All, I have a text field in a form that when submitted, passes the submitted data, using $_POST into a second webpage. I then use an insert statement on that page to insert the submitted text in to a DB. I have finding that if user's place either a quote (") or a apostrophie (') in the form, it truncate's the insert statement, as it takes the characters as the end of the line. Is there any other way of managing quotes and apostrophies in forms? Cheers Matt Hi There, Is there any way that when a user submits a form, but places a link inside - for example: It is located at this location: http://mylink.com Is there any way that PHP can pick up the fact that there is a link there and tag it correctly so it is clickable? Cheers Matt Alright, so I just started picking up PHP again and I have a pretty simple question. I have a html form that takes a string then writes it on another page. My problem is when I use quotations I'll get slashes in them on the page it writes the string on. Is there a way to clean that stuff up? i dont understand why the it gives me a syntax error when i type this: Code: [Select] echo '<h2> <?php echo $_POST['firstname'] ?> gelukt!</h2>'; Apparently, i have to do this: Code: [Select] echo '<h2> <?php echo $_POST["firstname"] ?> gelukt!</h2>'; This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=330098.0 Hello, I get the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'BETWEEN '1800-01-01' AND '2200-01-01'' at line 1 Here is the code: // building query Code: [Select] $where = array(); if ( $_GET['sex'] != '') {$where[] = " geslacht = '$sex'"; } if( $_GET['minAge'] != '' && is_numeric($_GET['minAge'])){ $where[] = " geboortedatum < '$minAge'"; } if( $_GET['maxAge'] != '' && is_numeric($_GET['maxAge'])) {$where[] = " geboortedatum >= '$maxAge'"; } $where[] = " TijdRegistratie BETWEEN '$minDatum' AND '$maxDatum'"; // glueing query $sql = "SELECT * FROM respondenten"; if (count($where) > 0){ $sql .= "WHERE ".implode(" AND ", $where);} Can somebody tell me where i've put the wrong quotations? *confused* What's the best way for putting actual quotations into a database? I was using... $quote = htmlspecialchars(mysqli_real_escape_string($dbc, $_POST['quote'])); Should I be? Does/can php reconize quotations beyond the simple example I have below: $quote = "\""; if(strstr($test, $quote)){ echo "quote found"; } I'd like to detect any instance of a quote. Should I be including html such as " and/or other html quote symbols? Or does the simple example I have above suffice? To execute code on successfully submitting text input, is this "bare minimum" code secure enough?
if(!empty($_POST["textfield_input"])) { ...or is it best to make sure all 4 of these are confirmed:
if (
The html portion is simply: I've searched on the net about this several times, and see different answers, and it looks like each PHP expert has their favorite.... but I would rather know the "best practices" answer to this. Thank you!!
Edited November 5, 2019 by StevenOliver Up until now, I have been writing Forms that submit back to themselves. Now I want to break up my code. I usually have this PHP at the top of my forms... Code: [Select] <?php // ******************************************** // HANDLE FORM. * // ******************************************** if ($_SERVER['REQUEST_METHOD']=='POST'){ // Form was Submitted (Post). If I change my Form Action to point to another script, will this code work in that new script?? (In other words, will Script_B be able to detect $_SERVER['REQUEST_METHOD']=='POST' ??) Thanks, Debbie I am trying to filter characters that get submitted into forms and than database. I have been paying with trim function $string = $_POST[name]; $newstring = trim($string,"W"); echo "$newstring"; but it does not seem to do what I really need. If I enter name World I do get "orld" back, but what if I want to filter out W (or w) and L (or l) to get "ord". I am mainly going after removing ' " ; : . > , < - _ ( ) * & ^ % $ # @ ! \ | / ? I know there is a different way to do it, but it has been long tome since I have seen it, and I do not know where. Thanks for your help I now know how to append GET over normal hyperlinks, but I don't know how to do it with form submissions. Here's the problem: I have a form like this one: <form method="GET" action=""> <?php require_once ('sort_category_func.php'); $switch = 1; sort_category ($switch); ?> + Most Liked <input type='checkbox' value='mostLiked' name='mostLiked' /> <br /> <input type="submit" name="sortSubmit" value='Go' /> <br /><br /> </form> And the variables: // DROP DOWN MENU VARIABLES $select_category = $_REQUEST['sort_category']; $most_liked = $_GET['mostLiked']; I'm using a while loop to list user submission, you can also sort them by category which works over GET, this works as long as there is no GET data already in the URL, but as soon as there is GET data it won't work anymore. Here's an example: If I have a user profile page opened like this: profile.php?user=konopkov And a category has been chosen to sort the user's submissions the URL will change to: profile.php?sort_category=Logos INSTEAD it should be: profile.php?user=konopkov&sort_category=Logos As I said I know how to achieve this with hyperlinks now, but I have no clue how do it with form submissions. Any suggestions? Thanks. Hi there, I have a newsletter sign up form which just puts the data (id and email) into a mysql table. To stop people hacking the site, is there a way to make sure the only thing being submitted in the input is an email address? Here's my current form and submit php: Code: [Select] <?php $mailer = $_GET['mailer']; if ($mailer == 'added') { $email=$_POST['email']; if($email == '') { echo '<div class="daily_not_submitted"><span style="padding-right:6px;"><img src="https://store.huhmagazine.co.uk/images/cross.jpg"></span>Please fill in all the fields.</div>'; }else { $sql="INSERT INTO `dailymailer` (`email`) VALUES ('$email');"; $result=mysql_query($sql) or die(mysql_error()); if($result){ echo "<div class='daily_submitted'><span style='padding-right:6px;'><img src='http://www.huhmagazine.co.uk/images/uploaded/checkboxtick.jpg'></span>Thank you.</div>"; } else { echo "Error\n"; } } } ?> <div id="sidebarnewsletter"> <form name="mailinglist" method="post" action="?mailer=added"> <input type="text" name="email" class="sidebarnewsletter" placeholder="Enter Your Email Address" /> <input type="submit" class="sidebarnewsletter_button" value="Sign Up"> </form> <div class="clear"></div> </div> I'd like to edit specific parts of a submitted text what is the best way to do this? For example I get the following text: [name country] is very cold this time of year. Because I like the cold I would love to live there [end of line 2] whole lot more text here until [name country] if this text here exists, blabla [but Germany] is blabla [end of line] in some cases some more text here [summary] bla bla The text in the brackets are words that I already know before it has been submitted. Getting the words out has been part of my previous script, using preg_match and put them in variables. I want to put the first portion of the text in a row, if 2nd, 3rd and 4th portion exist, put them in a row too. Any ideas? [edited] I prefer to have these portions cut out and put in a variable. So I end up having a few variables and can later echo that out in rows Edited by dde, 18 January 2015 - 04:01 AM. Hello, Basically, What I'm looking for would be for a method of blocking certain email addresses from being submitted in a form, I need it to block certain emails that are on the list. I think the best way to describe it would be a form submission blacklist that is checked before it gets submitted. Many thanks I've got a BIG problem... When a user submits my form it works fine, displays a "Transaction Success/Failed", and e-mails me a confirmation. However, if the user then navigates to another page (e.g. "Home"), and then clicks their browser's "Back" button, my form gets re-submitted?! This is on a VPS, but I just chatted with server support and they are saying, Quote register_globals = Off So what is going wrong?! Debbie Hi
We have a nicely working smtp contact form, however the form redirects to the contact.php file as default I presume, when we want it to go to a thank you page. Can you [please take a look at the code below and clarify where I need to put the thank you page URL;
$redirect_url = "http://".$_SERVER['SERVER_NAME']; //Redirect URL after submit the form $mail->From = $mail->Username; //Default From email same as smtp user $mail->FromName = "Mobile website"; $mail->AddAddress("essexcarrentals@yahoo.co.uk", "Mobile Website"); //Email address where you wish to receive/collect those emails. $mail->WordWrap = 50; // set word wrap to 50 characters $mail->IsHTML(true); // set email format to HTML $mail->Subject = $_POST['Enquiry']; $message = "Name: ".$_POST['name']." \r\n <br>Email Address: ".$_POST['email']." \r\n <br> Phone: ".$_POST['phone']." \r\n <br> Vehicle: ".$_POST['select']." \r\n <br> Dates: ".$_POST['dates']; $mail->Body = $message; if(!$mail->Send()) { echo "Message could not be sent. <p>"; echo "Mailer Error: " . $mail->ErrorInfo; exit; } echo "Message has been sent"; header("Location: $redirect_url"); } ?> I have tried replacing the http:// but this returns a page underfined error on submission? We appreciate your help on this one guys :0) Ash --- Hey guys, OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now. function stripdata($data) { return trim(htmlentities(stripslashes($data), ENT_QUOTES)); } echo stripdata($someDataFromMySQL); I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code. Thank you in advance. I have been using an inventory application built on PHP/MySQL. Since this morning I could submit the data and they were perfectly reflected on the MySQL Table. However, for a few hours I cannot save the submitted data to the table and it doesn't show any error message. Please note no change have been made since it was successfully running. The developer of this application is not available right now.
PLEASR HELP I AM A NOVICE IN PHP/MYSQL.
Hi! I'd like to allow some user-submitted plugins or custom code bits on pages. I'm basically making an online game generator for dummies and would like to allow some extra customization. Obviously I don't want to offer the full capability of php. I found safer eval and I believe with php's tokenizer I could make a parser to check user-submitted scripts for malicious coding against a white list. (For html cleaning I'd use htmlpurifier, though I haven't found a good solution for any CSS or Javascript yet. The php cleaning seems a larger road block anyway.) I was wondering if anyone here had a better solution? I don't want to make up my own coding language and I would prefer not to have to look over each script before use. I know this is a bad idea in general, sorry if I give anyone a heart attack by my even considering doing this and thank you in advance for any help! |
|||||||