PHP - How To Escape The Hacking Input

Code: [Select]
if ($indovina!=$indovinata) {
 if ($tentativi>=6) {
  echo ("\n<p>Sorry, you hanged yourself. The word you had to guess was: ".$indovina."</p>\n");
 }
 else {
  $scelt = preg_split('//', $scelte, -1, PREG_SPLIT_NO_EMPTY);
  echo ("\n<p>\n");
  foreach ($alfabeto as $lettalf) {
   $contrl = false;
   foreach ($scelt as $lett) {
    if (!strcasecmp ($lettalf, $lett)) {
     $contrl = true;
    }
   }
   if ($contrl) {
    print (' <img src="images/lr_'.$lettalf.'.gif" style="border:0;width:20px;height:20px" alt="'.$lettalf.'" />');
   }
   else {
    print (' <a href="'.$_SERVER['PHP_SELF'].'?letter='.$lettalf.'"><img src="images/lb_'.$lettalf.'.gif" style="border:0;width:20px;height:20px" alt="'.$lettalf.'" /></a>');
   }
   if ($lettalf=='m') echo ("\n <br />");
   echo ("\n");
  }
  echo ("</p>\n");
 }
}
else if ($indovinata){
 echo ("\n<p>Congratulations! You guessed the word.</p>\n");
 $DB->query("UPDATE ibf_members set gold=gold+5
WHERE id = {$ibforums->member['id']}");
}

Look at the bottom, ok so if the person wins the hangman game, it will show "Congrats" but then people will just beable to refresh the page, and that query will run again and again and that person will gain +5 gold each time....we need to fix this!! any help?

Hi guys, I think escaping is the correct term, apologies if its not.

Could anyone show me how I  can escape this so it works? Thanks

Code: [Select]
echo "[ - <a href="/$dir/game_play.php">Play</a> - ]";

Hey!
Code: [Select]
echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly?

Hello, I was wondering if I need to escape all get values.  I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc.  I usually convert this to a variable to be used in a WHERE statement.
Code: [Select]
IF ($_GET['id']){
$id=$_GET['id'];
}
But what if someone tried to view all records
Quote

http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0


resulted in all content page data being displayed somehow. Or better yet, if visiting
Quote

http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0


resulted in all content being deleted. 

Is that even possible in the in the context of a MySQL WHERE statement?  Seems like the MySQL statement wouldn't be structured correctly and wouldn't work.
I use mysqli_real_escape_string" on posted content but should I also escape all GET input?

I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this:
Code: [Select]
Hi everyone.
<b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other?

Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems

Code: [Select]
<?
if(isset($_POST['upload']))
{
        include 'dbconnection.php';
$ttitle = mysql_real_escape_string($_POST['ttitle']);
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']);
$query = "INSERT INTO test ( ttitle, ttitle2) ".
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                   
echo "<br>File uploaded<br>";
}       
?>
The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded.

From the server:
PHP.ini file: (ver 5.2.17)
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site.

As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great....

thanks in advance

I haven't coded HTML or PHP in several years and am trying to get back into it.

Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest.

Maybe it was using something like { } but I don;t recall.

I also seem to recall that wisely choosing where to use single (') and double (") quote was key!

For example, how could this code be cleaner?

	echo '<table id="membershipPlans">
	<!-- Column Groups -->
	<colgroup>
	  <col id="feature">'."\r";
	  foreach ($plan_names as $p_id => $p_name):
	    echo '<col id="option0'.$p_id.'">'."\r";
	  endforeach;
	  echo '</colgroup>";
	

 

I'm using a PHP foreach loop to set Javascript array values from PHP array values  The problem is that some of the array values contain double quotes(") so it compromises the JS script.  Is there a PHP function that automatically escapes each double quote in a given string?

I've got a basic text input area within a form for users to add a brief bio about themselves. I made sure to use mysql_real_escape_string to avoid problems with special characters. However, when I want to display the content within the text area when a user chooses to update or change their bio, the text displays the escape characters.

How do I display data from my db without the user having to deal with the escape characters?

Hi, I have a site where users can register etc. I was wondering should I use mysql_real_escape_string() for the elements on my registration form example email, name and so on or is it no necessary?
One more question could some one tell is this the proper way to use it before inserting into the database.

$name=$_POST['name'];

mysql_real_escape_string($name)

?

I am having problems understanding how to sanitize my form data so it is safe to INSERT.

If I use this code...
Quote

   $trimmed = array_map('trim', $_POST);
   $body = mysqli_real_escape_string($dbc, $trimmed['body']);


And I enter into my form...
Quote

O'Reilly's book


Then I see this in phpMyAdmin...
Quote

O\'Reilly\'s book


---------

If I use this code...
Quote

   $trimmed = array_map('trim', $_POST);
   $body = $trimmed['body'];


And I enter into my form...
Quote

O'Reilly's book


Then I see this in phpMyAdmin...
Quote

O'Reilly's book



Why the strange behavior??



Debbie

Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors:
Code: [Select]
Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17

Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17

Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17
I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors.

What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems..

~AJ


<?php 
require_once('connect.php');

if(isset($_COOKIE['user'])){}else{
header( 'Location: members.php');
}

if (isset($_POST['sendBtn'])){

$messageFrom = $_COOKIE['user'];
$messageTo = $_POST['messageTo'];
$hash = $messageTo.$messageFrom.time();
$hash = md5($hash);

mysql_select_db("majik");

$sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')";

echo '<center>Your message was sent to: '.$messageTo.'</center>';


}


?>

Hello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.  The issue: 

When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. 

The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. 

I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:

$val = str_replace(chr('NUL'), '\0', $val);							
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);	
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);	

Thanks

My hosts version of php just seems to automatically add the backslashes.
Adding the escape string just seems to add like 3 of them rather than 1

Is this command out-of-date?

Hello   I am still fairly new to the PDO / mysqli thing and I would really appreciate some help with escaping special characters from the below code.

$sth = ("SELECT * from table WHERE field1 = '$bob' and field2 != ''");

 foreach ($dbh->query($sth) as $row) {
  

 $who =  $row['field2']; 
  $why = $row['field1'];
 
$dbh1->query("UPDATE table SET who = '$who', date = '$row[DATE]', time = '$row[TIME]' WHERE field1 = '$why'")or die(mysqli_error($db));
}

I have tried using the prepared statement as well as the mysqli_real_escape_string but sees the code results as an object.   Any help or comments would be greatly appreciated.