PHP - Code Generates Back Slashes
i have a php form where users can update db. but when the input has a <a href=""></a> input, it generates back slashes on the web.
below is the results after the input. Code: [Select] <a href=\'\\\"images/gallery/storyslideshow/ppic-5 (1).jpg\'\\\" rel=\'\\\"lyteshow[featgallery]\'\\\" title=\'\\\"\'\\\">View Slideshow</a><br><br> i have a this on my updating code Code: [Select] mysql_real_escape_string($_POST["fulldesc"]); Similar TutorialsHi guys, I've been doing all kinds of things for about 3 weeks to find out how on earth does php generate tmp_name for $_FILE? I have many questions about it... For example, Is it possible to change tmp_name before uploading files? If not, is it possible to generate or calculate tmp_name before reaching $_FILE['<your file field>']['tmp_name']. I hope someone can answer my questions. Thanks Memphis I notice a situation where if someone goes to a webpage that uses SESSIONS to load information on the page and the user then goes to another page and then hits back on the broswer the page he went back to doesnt load any of the SESSION variable i had for the page. Anyone know how to fix this? at first i thought it had something to do with broswer cache but idk Please, take a look to the following code.After clicking Next it goes to overview.php.Why when I click back on my browser to return to this page again, it is not returning back? When I click back I receive "Confirm Form Resubmission" message. After refreshing page it loads page. I guess problem is in "session_start();" part. Something to do with cookies. Please, help me it is very urgent for me. <?php session_start(); echo "<html> <head> <title>Hello World</title> <meta http-equiv='Content-Type' content='text/html; charset=Windows-1252'/> </head>"; require_once ('functions.inc'); if(!isset($_POST['userid'])) { echo "<script type='text/javascript'>"; echo "window.location = 'index.php'"; echo "</script>"; exit; }else{ session_register("userid", "userpassword"); $username = auth_user($_POST['userid'], $_POST['userpassword']); if(!$username) { $PHP_SELF = $_SERVER['PHP_SELF']; session_unregister("userid"); session_unregister("userpassword"); echo "Authentication failed " . "Please, write correct username or password. " . "try again "; echo "<A HREF=\"index.php\">Login</A><BR>"; exit; } } function auth_user($userid, $userpassword){ global $default_dbname, $user_tablename; $user_tablename = 'user'; $link_id = db_connect($default_dbname); mysql_select_db("d12826", $link_id); $query = "SELECT username FROM $user_tablename WHERE username = '$userid' AND password = '$userpassword'"; $result = mysql_query($query) or die(mysql_error()); if(!mysql_num_rows($result)){ return 0; }else{ $query_data = mysql_fetch_row($result); return $query_data[0]; } } echo "hello"; echo "<form method='POST' name='myform' action='overview.php'>"; echo "<input type='submit' value='Next'>"; echo "</form>"; ?> Hello Everyone, I've been working with XAMPP 1.7.3 and have a general question. I've always read (and been told) to use addslashes() for any MySQL input to protect the database. My PHP.ini file has magic quotes off and the system automatically produces a caret symbol "^" in front of every control character I upload to the database. I can't find anything in the PHP.ini file relating to the caret symbols and control characters, nor can I find anything in the My.ini file. In testing, it the system behaves just as it would if I had magic quotes on, except that the system uses the carets instead of slashes. I have no problem removing the carets (and any slashes that a user might upload) but would like to know what is going on. I've done google searches on this and have only found content regarding regular expressions. Could someone clue me in? Thank in advance. Cheers, Rick Hi there i have this code: Code: [Select] $str = "<i><font color="800080"> man </font></i><p><font color="9898989"> hi </font></p><p><font color="1111111"> cheers </font></p>"; $pattern = '/<font .*?>(.*?)<\/font>/'; if(preg_match_all($pattern, addslashes($str), $posts)){ $i=0; for($i; $i < count($posts[0]); $i++){ echo "content: " . $posts[0][$i] . "<br/>"; echo "colour: " . $posts[1][$i] . "<br/>"; echo "<br />"; } } and it doesn't work apparently because of the addslashes but its really needed as double quotes needs to be escaped, consider that i'm applying this code to a larger html file with hundreds of double quotes to be escaped.... error msg i get is Parse error: syntax error, unexpected T_LNUMBER in thanks in advance.. Hi: Is this the proper way to remove slashes from apostrophes: Code: [Select] if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myTitle = mysql_real_escape_string(stripslashes($_POST['myTitle'])); $myDesc = mysql_real_escape_string(stripslashes($_POST['myDesc'])); $myHeader = mysql_real_escape_string(stripslashes($_POST['myHeader'])); $mySubHeader = mysql_real_escape_string(stripslashes($_POST['mySubHeader'])); $myPageData = mysql_real_escape_string(stripslashes($_POST['myPageData'])); It seems to work fine, I'd just like to clarify I'm not missing anything. Thanks! Hi All I Am confused I would like to put info into a database but need it to be secure. I have some code shown below. The problem is I would like to put in ' but keep the data secure. When it comes back I do not want to show \' I think you might know what I am trying to do. Here is the code but would like to know how to stop the \' showing. Code: [Select] $password = mysql_real_escape_string(stripslashes(trim($_POST['password']))); Any help would be great thank you. I have this page that keeps adding slashes (exponentially) to the $sql var that gets passed on through the hidden text area. I cannot figure out why it does this. Any ideas are appreciated. Thank you. <?php include_once $_SERVER['DOCUMENT_ROOT'] . '/include/login.php'; include_once $_SERVER['DOCUMENT_ROOT'] . '/include/mysql.php'; if(!Login::loggedIn()) { include $_SERVER['DOCUMENT_ROOT'] . '/include/uploads/pages/login.php'; } else { function displayForm() { $sql = 'SELECT * FROM `content` WHERE `contentCallid` = \'' . $_GET['page'] . '\''; $con = $GLOBALS['mysql']->connect(); $query = mysql_query($sql, $con); $content = mysql_fetch_array($query); $content['breadcrumb'] = explode(',', $content['breadcrumb']); $content['breadcrumbLink'] = explode(',', $content['breadcrumbLink']); $breadcrumb = ''; for($i = 0; $i < count($content['breadcrumb']); $i++) { if($i > 0) $breadcrumb .= ','; $breadcrumb .= $content['breadcrumbLink'][$i] . '::' . $content['breadcrumb'][$i]; } if(empty($_POST['sql'])) { $sql = 'INSERT INTO `contentVersions` (`contentCallid` , `contentTitle` , `content` , `views` , `permissionNeeded` , `status` , `version` , `created` , `createdBy` , `lastEdit` , `lastEditBy` , `breadcrumb` , `breadcrumbLink` , `noBreadcrumb` ) VALUES ( \'' . ($content['contentCallid']) . '\', \'' . ($content['contentTitle']) . '\', \'' . ($content['content']) . '\', \'' . ($content['views']) . '\', \'' . ($content['permissionNeeded']) . '\', \'' . ($content['status']) . '\', \'' . ($content['version']) . '\', \'' . ($content['created']) . '\', \'' . ($content['createdBy']) . '\', \'' . ($content['lastEdit']) . '\', \'' . ($content['lastEditBy']) . '\', \'' . ($content['breadcrumb']) . '\', \'' . ($content['breadcrumbLink']) . '\', \'' . ($content['noBreadcrumb']) . '\');'; $sql = stripslashes($sql); } else { $sql = $_POST['sql']; } ?> <form id="loginForm" name="loginForm" method="post" action="index.php?p=editPage&page=<?= $_GET['page']; ?>&ref=editPage"> <fieldset> <legend>Page Settings </legend> <p> <label>Page Title: </label> <input name="title" style="width:450px;" id="title" value="<?= $content['contentTitle']; ?>" type="text" /> </p> <p> <label>Content ID: </label> <input name="callid" readonly="readonly" style="width:381px;" id="callid" value="<?= $content['contentCallid']; ?>" type="text" /> <input name="suggestC" type="button" value="Suggest" onclick="suggestCallID('<?= $content['contentCallid']; ?>');" /> </p> <p> <label>Breadcrumb: </label> <input name="breadcrumb" style="width:381px;" id="breadcrumb" value="<?= $breadcrumb; ?>" type="text" /> <input name="suggestBC" type="button" value="Suggest" onclick="suggestBreadcrumb();" /></p> </fieldset> <textarea name="editPageWYS" id="editPageWYS"><?= $content['content']; ?></textarea> <textarea style="visibility:hidden;" name="sql"><?= $sql; ?></textarea> <textarea style="visibility:hidden;" name="version"><?= $content['version']; ?></textarea> <textarea style="visibility:hidden;" name="contentid"><?= $content['contentid']; ?></textarea> <fieldset> <legend>Actions</legend> <p> <input name="save" type="submit" value="Save" /> </p> </fieldset> </form> <?php } if(!empty($_POST['save'])) { if(empty($_POST['title']) || empty($_POST['callid'])) { echo '<blockquote class="failure">Save not successful. You need to have both a title and content id. Please type in a title then click the "Suggest" button.</blockquote>'; displayForm(); } else { $time = time(); $bc = explode(',', $_POST['breadcrumb']); $bcText = array(); $bcLink = array(); for($i = 0; $i < count($bc); $i++) { $bc[$i] = explode('::', $bc[$i]); $bcLink[$i] = $bc[$i][0]; $bcText[$i] = $bc[$i][1]; } $bcLink = implode(',', $bcLink); $bcText = implode(',', $bcText); $con = $GLOBALS['mysql']->connect(); $query = mysql_query($_POST['sql'], $con); echo $_POST['sql']; if(!$query) { echo '<blockquote class="failure">Warning: A MySQL error has occured while adding the backup to the database.<p>' . mysql_error() . '</p></blockquote>'; displayForm(); } $sql = 'UPDATE `content` SET `content` = \'' . $_POST['editPageWYS'] . '\', `breadcrumb` = \'' . $bcText . '\', `breadcrumbLink` = \'' . $bcLink . '\', `contentCallid` = \'' . $_POST['callid'] . '\', `contentTitle` = \'' . $_POST['title'] . '\', `version` = \'' . ($_POST['version'] + 1) . '\', `lastEdit` = \'' . $time . '\', `lastEditBy` = \'' . $_SESSION['username'] . '\' WHERE `contentid` = ' . $_POST['contentid'] . ' LIMIT 1 ;'; $query = mysql_query($sql, $con); if(!$query) { echo '<blockquote class="failure">MySQL Error<p>' . mysql_error() . '</p></blockquote>'; displayForm(); } else { echo '<blockquote>Page Successfully Edited<br /><br /><a href="index.php?p=' . $_POST['callid'] . '&ref=newPage">Click Here to View It</a></blockquote>'; } } } else { displayForm(); } } ?> Hi guys When I insert a data into MySQL and thru addslashes() it is adding not one but 3 slashes in mysql. By the way here are the codes, Code: [Select] <?php //$conn = new mysqli('localhost', 'root', '', 'my_db'); $conn = new mysqli('localhost', 'coder9_work', '******', 'coder9_portfolio'); $query = "INSERT into portfolio(category, title, description, version, started, finished) VALUES (?, ?, ?, ?, ?, ?)"; $select = $_POST['select']; $title = addslashes($_POST['title']); $description = $_POST['description']; $version = $_POST['version']; $started = $_POST['started']; $finished = $_POST['finished']; $stmt = $conn->stmt_init(); if($stmt->prepare($query)) { $stmt->bind_param('ssssss', $select, $title, $description, $version, $started, $finished); $stmt->execute(); } if($stmt) { echo "Thank you!"; } else { echo "There was a problem. Please try again later."; } ?> How do I fix this problem so that It will add only one slashes? Thanks in advanced. Ok so I'm coding up a file tree for a script and I've got the system setup so that when a user clicks on a folder it adds that folder to the path. The path is stored in a variable, but I'd like to allow the user to be able to go down multiple directories at once. To do this I'm going to seperate each folder name in the path and link to it so as an example: $path = './home/public_html/folder1/folder2'; how can I separate each of those so I can make a link to that folder so that: /home goes to $path = './home/'; /public_html goes to $path = './home/public_html'; etc... --- Basically just seperate the slashes into an array and seperate each of them off based on how far along it is but I don't know how to do that... This is driving me nuts and I'm hoping someone can help me figure it out. I have a site with PHP/MySQL. I have a form where people can submit a comment. This comment then goes into a MySQL database and gets displayed back on another page of the website. NOTE: I put this question in the PHP Forum because I think the problem is happening somewhere BEFORE the info gets entered into MySQL. But of course, I could be wrong. The problem is that some of the comments are coming in with a "\" in front of apostropes, but NOT ALL OF THEM (which is really confusing me). For example, someone entered this comment which shows in the MySQL database exactly like this... I predict Lena's gonna win a lifetime Grammy. It's long overdue. Someone else entered a comment which shows in the MySQL database exactly like this... can\\\'t wait to see first pics of the next addition. Congrats! They both have apostrophes in them, but only that second one added those slashes (and 3 of them for some reason). There are more instances of this where some comments have the slashes before the apostrophe and some don't. Anyone know what might be causing this seemingly random insertion of slashes? "BACK" or REFRESH: Preventing database interaction / code execution how to prevent database interaction / code execution when user presses back or refresh button? can i detect? can i disable back/refresh? Hi, I have set up 2 php pages page 1 - add_entry2.php In this page I have a invoice table created where I can dynamically add/delete rows. This has a View Bill button which takes me to page 2- add_entry3.php In this page it shows up the rows added in page 1 in read only format, so if the user wants to modify the data that he/she entered then he must Click on <back> that i have provided in the page 2 which will direct him to page 1 Now the problem starts here on click of Back the dynamically added rows dissappear..which is frustrating..I know its something to do with my code..but can anyone help me fix it. One more thing is that i dont want to store the data into DB till the finalise button is clicked on page 2 so that means till page 2 is submitted nothing goes to DB from Page 1. I am able to retain values if I use the code Code: [Select] <form action="add_entry2.php" name="eval_edit" method="post" format="html"> i,e if I submit back to the same page and retrieve values form $_POST but If I use the code Code: [Select] <input type="button" value="Back" onClick="history.go(-1);return true;">to get back to add_entry2.ph it looses all the values. Is there any other way to code the BACK link retaining my $_POST values(Do you think $_SESSION would work in this case?) Ok. So I just started using prepared statements. One issue I ran into is that after inserting say "abc's" into the table with a prepared statement when I read that row and display it, it shows as abc\'s I have to use stripslashes on the variable before displaying it. I thought that with magic quotes. off this would not be a problem. Am I going to have to strip slashes on all fields now? Is there another way around it? here is my phpinfo for reference magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off And compile options Configure Command './configure' '--host=i686-redhat-linux-gnu' '--build=i686-redhat-linux-gnu' '--target=i386-redhat-linux' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-expat-dir=/usr' '--with-pcre-regex=/usr' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-track-vars' '--enable-trans-sid' '--enable-yp' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--enable-memory-limit' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--without-mime-magic' '--without-sqlite' '--with-libxml-dir=/usr' '--with-xml' '--with-mhash=shared' '--with-mcrypt=shared' '--with-apxs2=/usr/sbin/apxs' '--without-mysql' '--without-gd' '--without-odbc' '--disable-dom' '--disable-dba' '--without-unixODBC' '--disable-pdo' '--disable-xmlreader' '--disable-xmlwriter' '--disable-json' Thanks JT Hi, I need to analyze a string and get the text between, before, and after the forward slashes.. The string will always look something like this, but will vary: $str = "I will go to the store with <# one/two/three #> people." Then I need to create a form with radio buttons for each choice. In this case (one, two, or three). The text between the <# ... #> could be different every time, and with uknown amount of forward slashes. Here is what I have so far but it doesn't work. Code to find if there are slashes: Code: [Select] preg_match_all( '/([/]+)/',$str,$matches); Code to create html form .. Code: [Select] $i = 0; $html = '<form>'; foreach ($matches[0] as $match){ if ($pos = strpos( $str,$match ) ) === false ) continue; } $html .= '<input type="radio" name="place-' . $i . '" value=". $match . '" /> '; } $html .= '</form>'; Its not working as needed. I'm not sure how to create radio button choices for the words (one, two, three). Thanks Hi all, I have an issue on a form that when it gets submitted a slash '/' appears before every quote symbol. I had help solving the issue on one of the fields (the name field), but then later it was discovered that the slashes appear in all the fields whenever a quote was used (agreed, poor testing). Can someone be so good to help me solve this? My php knowledge is not so great which is exactly why I'm asking here Please see my code below. If this problem can be solved in the same manner as the name field was solved, then there are 2 files which will need the edits. They are below: (some trivial information purposely removed for security reasons) preview.php <div id="card"> <img id="logo" src="logo.jpg" /> <div id="card1"><?php echo stripslashes($_REQUEST['text1']); ?> </div> <div id="card2"><?php echo $_REQUEST['text2']; ?> </div> <div id="card3"><?php echo $_REQUEST['text3']; ?> </div> <?php if($_REQUEST['text4'] != '' && $_REQUEST['text5'] != '') $text = $_REQUEST['text4'].' • '.$_REQUEST['text5']; else $text = $_REQUEST['text4'].$_REQUEST['text5']; ?> <div id="card4"><?php echo $text; ?> </div> <div id="card5"><?php echo $_REQUEST['text6']; ?> </div> </div> second_form.php <?php session_start(); $db_host = 'localhost'; $db_name = ''; $db_user = ''; $db_pass = ''; $admin_email = "admin@aserver.com"; if(isset($_REQUEST['text1'])) $_REQUEST['text1'] = stripslashes($_REQUEST['text1']); $from = 'orders@mycompany.com'; if($_REQUEST['count'] != '50' && $_REQUEST['count'] != '100') { header( 'Location: order.php' ); die(); } $card_number = trim($_REQUEST['card_number']); $card_security = $_REQUEST['card_security']; $card_exp_m = sprintf("%02d",((int)$_REQUEST['car_exm_m'])%100); $card_exp_y = sprintf("%02d",((int)$_REQUEST['car_exm_y'])%100); $count = $_REQUEST['count']; $shipping = 8.65; $price = $shipping; switch($count) { case 50: $price += 25; break; case 100: $price += 38; break; } //$price = 0.01; //$shipping = 0.01; $price = sprintf("%0.2f",$price); $fd_xsd = 'http://***'; $v1_xsd = 'http://***'; $a1_xsd = 'https://***'; //$email_rep = str_replace('@','[at]',$_REQUEST['text4']); $soap = <<<SOAP <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header /> <SOAP-ENV:Body> <fdggwsapi:FDGGWSApiOrderRequest xmlns:fdggwsapi="$fd_xsd" xmlns:v1="$v1_xsd"> <v1:Transaction> <v1:CreditCardTxType> <v1:Type>sale</v1:Type> </v1:CreditCardTxType> <v1:CreditCardData> <v1:CardNumber>$card_number</v1:CardNumber> <v1:ExpMonth>$card_exp_m</v1:ExpMonth> <v1:ExpYear>$card_exp_y</v1:ExpYear> </v1:CreditCardData> <v1:Payment> <v1:ChargeTotal>$price</v1:ChargeTotal> <v1:Shipping>$shipping</v1:Shipping> </v1:Payment> <v1:Billing> <v1:Name>{$_REQUEST['text1']} - {$_REQUEST['text2']} - {$_REQUEST['text3']}</v1:Name> <v1:Email>{$_REQUEST['text4']}</v1:Email> <v1:Phone>{$_REQUEST['text5']}</v1:Phone> <v1:Address2>{$_REQUEST['text5']}</v1:Address2> <v1:Address1>{$_REQUEST['text6']}</v1:Address1> </v1:Billing> <v1:Shipping> <v1:Name>{$_REQUEST['info_name']}</v1:Name> <v1:Address1>{$_REQUEST['info_street']} {$_REQUEST['info_APT']}</v1:Address1> <v1:City>{$_REQUEST['info_city']}</v1:City> <v1:State>{$_REQUEST['info_state']}</v1:State> <v1:Zip>{$_REQUEST['info_zip']}</v1:Zip> </v1:Shipping> </v1:Transaction> </fdggwsapi:XXXApiOrderRequest> </SOAP-ENV:Body> </SOAP-ENV:Envelope> SOAP; // echo htmlentities($soap); $link = "https://ws.firstdataglobalgateway.com/****"; $store_id = "***"; $user_id = "***"; $pass = "***"; $key_pass = "***"; $uss_pass = ('WS'.$store_id.'***:'.$pass); $path = "/home/hoster/ssl_firstdata/"; $pem_path = $path . "***.pem"; $key_path = $path. "***_.1.key"; $ch = curl_init($link); curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: text/xml") ); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);curl_setopt($ch, CURLOPT_USERPWD, $uss_pass); curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $soap); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSLCERT, $pem_path);//pem file curl_setopt($ch, CURLOPT_SSLKEY, $key_path); // crt file curl_setopt($ch, CURLOPT_SSLKEYPASSWD, $key_pass); $res = curl_exec($ch); //$xml = simplexml_load_string('<?xml version="1.0" encoding="UTF-8"? >'.$res); $xml = simplexml_load_string('<?xml version="1.0" encoding="UTF-8"?>'.$res); $ch = $xml->children('SOAP-ENV',true);$ch = $ch[1];$ch = $ch->children('fdggwsapi',true);$response = $ch[0]; $orderId = trim((string)$response->OrderId); mysql_connect($db_host , $db_user, $db_pass); if(!mysql_select_db($db_name)) { echo "Create the database please"; exit; } $result = array( 'Order Number' => $orderId, 'errorMessage' => (string)$response->ErrorMessage, 'response' => $res, "\n\nv_name" => $_REQUEST['text1'], 'v_degree' => $_REQUEST['text2'], 'v_graduation' => $_REQUEST['text3'], 'v_email' => $_REQUEST['text4'], 'v_phone' => $_REQUEST['text5'], 'v_address' => $_REQUEST['text6'], "\n\nOrder Details" => "\n", 'v_quantity' => $_REQUEST['count'], 'cost' => ($_REQUEST['count'] == '50' ? '$25.00' : '$38.00'), 'shipping and handling' => '$8.65', 'total price' => ($_REQUEST['count'] == '50' ? '$33.65' : '$46.65'), "\n\nShipping Information" => "\n", 'name' => $_REQUEST['info_name'], 'street' => $_REQUEST['info_street'], 'apt' => $_REQUEST['info_APT'], 'city' => $_REQUEST['info_city'], 'state' => $_REQUEST['info_state'], 'zip' => $_REQUEST['info_zip'] ); if(strlen($orderId) != 0 && strpos((string)$response->ErrorMessage,'database error') === false)//success { $result['success'] = 1; $link = 'order.php?step=3'; $subject = "order submitted"; } else { $result['success'] = 0; $link = 'order.php?step=-3'; $subject = "Error occured while creating order"; } $_SESSION['data'] = $result; $into = array(); $values = array(); foreach($result as $key => $val) { $into[] = "`$key`"; if($key == 'v_quantity') $values[] = addslashes ($val); else $values[] = "'".addslashes($val)."'"; } $query = "INSERT INTO `***`.`orders` (".implode(', ',$into).") VALUES (".implode(', ',$values).");"; require_once "send_mail.php"; $sendTo = array($admin_email,$result['v_email']); send_mails($sendTo,$from,$subject,$result); mysql_query($query); header('Location: '.$link); exit; function render() { global $res,$xml; // var_dump($_REQUEST); // echo $res; // echo htmlentities($res); /* */ var_dump($xml); } ?> Hi everyone I am trying to secure some of my code using a sanitize function function sanitize($data) { $cdata = strip_tags(addslashes($data)); $cdata = mysql_real_escape_string($cdata); return $cdata; } If I post a form value such as Code: [Select] 'Apple iPod' to a SQL INSERT QUERY using `title` = sanitize($_POST['title']); then my database value looks like Code: [Select] \\\'the ipod\\\' this is odd because there is 3 slashes if I then print that value on a PHP page using print stripslashes($row['title']); it outputs Code: [Select] \'the ipod\' Why can I not get rid of the slashes and why would it be outputting 3 slashes? I have tried all the magic quote ideas and suggestions, but still cannot sort this out. Thanks John Hi all, I've been having some trouble with the whole slashes and apostrophy situation. When the user enters into the database locally they can enter in apostophies no problem and it outputs on the site no problem. When the user edits the data it then alters it and removes apostrophies from the headline field, not the text editor field (tinyMCE). However, when I test it on the web (it's secured so I am unable to provide a link), there are more problems, those being that when it enters into the database it adds slashes where there are apostrophies but doesn't do this locally... Could this by a PHP version issue? Version 5.3.5 on the web and 5.3.1 locally. In addition when the you come to edit the data all of the apostropies and following letter have been removed and slashes put in their place. But as I say this doesn't happen locally.. Here is the insert statement: <?php require_once('auth.php'); ?> <?php $host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $newsHeadline = $_POST['newsHeadline']; $newsContent = $_POST['newsContent']; $query = "INSERT INTO news (newsDate, newsHeadline, newsContent) VALUES ('".date("l"." "."j"." "."F"." "."Y")."','".mysql_real_escape_string($newsHeadline)."','".mysql_real_escape_string($newsContent)."')"; if(mysql_query($query)) { echo "News successfully inserted.<br/><a href='addNews.php'>Back to main page</a><br/>"; }else echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>"; // close connection mysql_close(); ?> Here is the php to output the text // while there are rows to be fetched... while ($list = mysql_fetch_assoc($resultSelectNewsData)) { // echo data echo "<div class='newsArticle'><p class='newsHeadline'>"; echo stripslashes ($list['newsHeadline']); echo "<br /><span class='nDate'>Posted on: ".$list['newsDate']."</span></p><div class='newsContent'><p>"; echo stripslashes ($list['newsContent']); echo "</p></div><!--news content end--><br /></div><!--news article end-->"; } // end while Here is the PHP to view the data ready to edit: <?php require_once('auth.php'); ?> <?php $pagetitle = "Langbaurgh Sunday League";?> <?php include("includesAdmin/header.php");?> <?php include("includesAdmin/nav.php");?> <div id="mainContentAdmin"> <h1>Admin Panel</h1> <?php // Make a MySQL Connection $newsID=$_GET['newsID']; //Query to join tables and obtain team names linked to IDs $sql2= mysql_query ("SELECT * FROM news WHERE newsID = '$newsID'")or die(mysql_error()); echo "<form name='editDetails' method='post' action='php_update_news_item.php'>"; $row = mysql_fetch_array($sql2); // Print out the contents of each row echo "<input type='hidden' name='newsID' id='newsID' size='15' value='".$row['newsID']."'/>"; echo"News Headine: <br /><input type='text' name='newsHeadline' id='newsHeadline' size='40' value='".$row['newsHeadline']."'/><br />"; echo"News Story: <br /><textarea name='newsContent' id='newsContent' cols='50' rows='15'>".$row['newsContent']."</textarea>"; echo "<input type='submit' name='submit' value='Update News Story'/>"; mysql_close(); ?> </div><!--contentAreaEnd--> <?php include("includesAdmin/footer.php");?> Here is the file to update the data <?php require_once('auth.php'); ?> <?php $host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $newsID = $_POST['newsID']; $newsHeadline = $_POST['newsHeadline']; $newsContent = $_POST['newsContent']; $query = "UPDATE news SET newsHeadline='".mysql_real_escape_string($newsHeadline)."', newsContent='".mysql_real_escape_string($newsContent)."' WHERE newsID='".mysql_real_escape_string($newsID)."'"; if(mysql_query($query)) { echo "News successfully updated.<br/><a href='view_news_id.php'>Back to news viewing</a><br/>"; }else echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>"; // close connection mysql_close(); ?> All help would be massively appreciated as I am really stuck with this. I've tried all sorts including stripslashes, trim, a combination of both, yet I hit snags with each one of them.. Many thanks in advance, Aidan I have various elements of a form template stored in the database. When i retrieve them with _fetch_object and then insert them into a different table the slashes get removed. I need the slashes intact because these are eventually read with eval(). Is there a specific field type I can use? How do i keep the slashes there? I need it to stay just like it is. I'm using PHP/Mysql I put this in: <table><tr><td width=\"658\" id=\"center\"><input type=\"text\" name=\"line_item[]\" value=\"$field1\" size=\"6\" maxlength=\"13\" class=\"Standard\" id=\"PageLine\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field2\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field3\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field4\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field5\" /></td></tr></table> Then when it gets retrieved and re-inserted I get this: <table><tr><td width="658" id="center"><input type="text" name="line_item[]" value="$field1" size="6" maxlength="13" class="Standard" id="PageLine" /><input type="hidden" name="line_item[]" value="$field2" /><input type="hidden" name="line_item[]" value="$field3" /><input type="hidden" name="line_item[]" value="$field4" /><input type="hidden" name="line_item[]" value="$field5" /></td></tr></table> Simple question about slashes. If a user uses slashes in their text will all of them be removed using 'stripslashes' function or only the ones that have the ' to the right of the slashes. ? sorry posted before its time..... peoples names like... o'grady o'murphy shows on the screen as o\'grady and o\'murphy |