|
PHP - Php Adding Slashes Without Instruction
I have this page that keeps adding slashes (exponentially) to the $sql var that gets passed on through the hidden text area. I cannot figure out why it does this.
Any ideas are appreciated. Thank you. <?php include_once $_SERVER['DOCUMENT_ROOT'] . '/include/login.php'; include_once $_SERVER['DOCUMENT_ROOT'] . '/include/mysql.php'; if(!Login::loggedIn()) { include $_SERVER['DOCUMENT_ROOT'] . '/include/uploads/pages/login.php'; } else { function displayForm() { $sql = 'SELECT * FROM `content` WHERE `contentCallid` = \'' . $_GET['page'] . '\''; $con = $GLOBALS['mysql']->connect(); $query = mysql_query($sql, $con); $content = mysql_fetch_array($query); $content['breadcrumb'] = explode(',', $content['breadcrumb']); $content['breadcrumbLink'] = explode(',', $content['breadcrumbLink']); $breadcrumb = ''; for($i = 0; $i < count($content['breadcrumb']); $i++) { if($i > 0) $breadcrumb .= ','; $breadcrumb .= $content['breadcrumbLink'][$i] . '::' . $content['breadcrumb'][$i]; } if(empty($_POST['sql'])) { $sql = 'INSERT INTO `contentVersions` (`contentCallid` , `contentTitle` , `content` , `views` , `permissionNeeded` , `status` , `version` , `created` , `createdBy` , `lastEdit` , `lastEditBy` , `breadcrumb` , `breadcrumbLink` , `noBreadcrumb` ) VALUES ( \'' . ($content['contentCallid']) . '\', \'' . ($content['contentTitle']) . '\', \'' . ($content['content']) . '\', \'' . ($content['views']) . '\', \'' . ($content['permissionNeeded']) . '\', \'' . ($content['status']) . '\', \'' . ($content['version']) . '\', \'' . ($content['created']) . '\', \'' . ($content['createdBy']) . '\', \'' . ($content['lastEdit']) . '\', \'' . ($content['lastEditBy']) . '\', \'' . ($content['breadcrumb']) . '\', \'' . ($content['breadcrumbLink']) . '\', \'' . ($content['noBreadcrumb']) . '\');'; $sql = stripslashes($sql); } else { $sql = $_POST['sql']; } ?> <form id="loginForm" name="loginForm" method="post" action="index.php?p=editPage&page=<?= $_GET['page']; ?>&ref=editPage"> <fieldset> <legend>Page Settings </legend> <p> <label>Page Title: </label> <input name="title" style="width:450px;" id="title" value="<?= $content['contentTitle']; ?>" type="text" /> </p> <p> <label>Content ID: </label> <input name="callid" readonly="readonly" style="width:381px;" id="callid" value="<?= $content['contentCallid']; ?>" type="text" /> <input name="suggestC" type="button" value="Suggest" onclick="suggestCallID('<?= $content['contentCallid']; ?>');" /> </p> <p> <label>Breadcrumb: </label> <input name="breadcrumb" style="width:381px;" id="breadcrumb" value="<?= $breadcrumb; ?>" type="text" /> <input name="suggestBC" type="button" value="Suggest" onclick="suggestBreadcrumb();" /></p> </fieldset> <textarea name="editPageWYS" id="editPageWYS"><?= $content['content']; ?></textarea> <textarea style="visibility:hidden;" name="sql"><?= $sql; ?></textarea> <textarea style="visibility:hidden;" name="version"><?= $content['version']; ?></textarea> <textarea style="visibility:hidden;" name="contentid"><?= $content['contentid']; ?></textarea> <fieldset> <legend>Actions</legend> <p> <input name="save" type="submit" value="Save" /> </p> </fieldset> </form> <?php } if(!empty($_POST['save'])) { if(empty($_POST['title']) || empty($_POST['callid'])) { echo '<blockquote class="failure">Save not successful. You need to have both a title and content id. Please type in a title then click the "Suggest" button.</blockquote>'; displayForm(); } else { $time = time(); $bc = explode(',', $_POST['breadcrumb']); $bcText = array(); $bcLink = array(); for($i = 0; $i < count($bc); $i++) { $bc[$i] = explode('::', $bc[$i]); $bcLink[$i] = $bc[$i][0]; $bcText[$i] = $bc[$i][1]; } $bcLink = implode(',', $bcLink); $bcText = implode(',', $bcText); $con = $GLOBALS['mysql']->connect(); $query = mysql_query($_POST['sql'], $con); echo $_POST['sql']; if(!$query) { echo '<blockquote class="failure">Warning: A MySQL error has occured while adding the backup to the database.<p>' . mysql_error() . '</p></blockquote>'; displayForm(); } $sql = 'UPDATE `content` SET `content` = \'' . $_POST['editPageWYS'] . '\', `breadcrumb` = \'' . $bcText . '\', `breadcrumbLink` = \'' . $bcLink . '\', `contentCallid` = \'' . $_POST['callid'] . '\', `contentTitle` = \'' . $_POST['title'] . '\', `version` = \'' . ($_POST['version'] + 1) . '\', `lastEdit` = \'' . $time . '\', `lastEditBy` = \'' . $_SESSION['username'] . '\' WHERE `contentid` = ' . $_POST['contentid'] . ' LIMIT 1 ;'; $query = mysql_query($sql, $con); if(!$query) { echo '<blockquote class="failure">MySQL Error<p>' . mysql_error() . '</p></blockquote>'; displayForm(); } else { echo '<blockquote>Page Successfully Edited<br /><br /><a href="index.php?p=' . $_POST['callid'] . '&ref=newPage">Click Here to View It</a></blockquote>'; } } } else { displayForm(); } } ?> Similar TutorialsHi guys When I insert a data into MySQL and thru addslashes() it is adding not one but 3 slashes in mysql. By the way here are the codes, Code: [Select] <?php //$conn = new mysqli('localhost', 'root', '', 'my_db'); $conn = new mysqli('localhost', 'coder9_work', '******', 'coder9_portfolio'); $query = "INSERT into portfolio(category, title, description, version, started, finished) VALUES (?, ?, ?, ?, ?, ?)"; $select = $_POST['select']; $title = addslashes($_POST['title']); $description = $_POST['description']; $version = $_POST['version']; $started = $_POST['started']; $finished = $_POST['finished']; $stmt = $conn->stmt_init(); if($stmt->prepare($query)) { $stmt->bind_param('ssssss', $select, $title, $description, $version, $started, $finished); $stmt->execute(); } if($stmt) { echo "Thank you!"; } else { echo "There was a problem. Please try again later."; } ?> How do I fix this problem so that It will add only one slashes? Thanks in advanced. I have a PHP if() instruction. Within this if() instruction is a curl string which talks to a payment gateway. This gateway went down today, and caused my payment processing pages to hang. I am wondering if there is a way to make PHP abort a processing a instruction after a certain amount of time it runs? Hello Everyone, I've been working with XAMPP 1.7.3 and have a general question. I've always read (and been told) to use addslashes() for any MySQL input to protect the database. My PHP.ini file has magic quotes off and the system automatically produces a caret symbol "^" in front of every control character I upload to the database. I can't find anything in the PHP.ini file relating to the caret symbols and control characters, nor can I find anything in the My.ini file. In testing, it the system behaves just as it would if I had magic quotes on, except that the system uses the carets instead of slashes. I have no problem removing the carets (and any slashes that a user might upload) but would like to know what is going on. I've done google searches on this and have only found content regarding regular expressions. Could someone clue me in? Thank in advance. Cheers, Rick Hi there i have this code: Code: [Select] $str = "<i><font color="800080"> man </font></i><p><font color="9898989"> hi </font></p><p><font color="1111111"> cheers </font></p>"; $pattern = '/<font .*?>(.*?)<\/font>/'; if(preg_match_all($pattern, addslashes($str), $posts)){ $i=0; for($i; $i < count($posts[0]); $i++){ echo "content: " . $posts[0][$i] . "<br/>"; echo "colour: " . $posts[1][$i] . "<br/>"; echo "<br />"; } } and it doesn't work apparently because of the addslashes but its really needed as double quotes needs to be escaped, consider that i'm applying this code to a larger html file with hundreds of double quotes to be escaped.... error msg i get is Parse error: syntax error, unexpected T_LNUMBER in thanks in advance.. Hi All I Am confused I would like to put info into a database but need it to be secure. I have some code shown below. The problem is I would like to put in ' but keep the data secure. When it comes back I do not want to show \' I think you might know what I am trying to do. Here is the code but would like to know how to stop the \' showing. Code: [Select] $password = mysql_real_escape_string(stripslashes(trim($_POST['password']))); Any help would be great thank you. Hi: Is this the proper way to remove slashes from apostrophes: Code: [Select] if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myTitle = mysql_real_escape_string(stripslashes($_POST['myTitle'])); $myDesc = mysql_real_escape_string(stripslashes($_POST['myDesc'])); $myHeader = mysql_real_escape_string(stripslashes($_POST['myHeader'])); $mySubHeader = mysql_real_escape_string(stripslashes($_POST['mySubHeader'])); $myPageData = mysql_real_escape_string(stripslashes($_POST['myPageData'])); It seems to work fine, I'd just like to clarify I'm not missing anything. Thanks! This is driving me nuts and I'm hoping someone can help me figure it out. I have a site with PHP/MySQL. I have a form where people can submit a comment. This comment then goes into a MySQL database and gets displayed back on another page of the website. NOTE: I put this question in the PHP Forum because I think the problem is happening somewhere BEFORE the info gets entered into MySQL. But of course, I could be wrong. The problem is that some of the comments are coming in with a "\" in front of apostropes, but NOT ALL OF THEM (which is really confusing me). For example, someone entered this comment which shows in the MySQL database exactly like this... I predict Lena's gonna win a lifetime Grammy. It's long overdue. Someone else entered a comment which shows in the MySQL database exactly like this... can\\\'t wait to see first pics of the next addition. Congrats! They both have apostrophes in them, but only that second one added those slashes (and 3 of them for some reason). There are more instances of this where some comments have the slashes before the apostrophe and some don't. Anyone know what might be causing this seemingly random insertion of slashes? Ok so I'm coding up a file tree for a script and I've got the system setup so that when a user clicks on a folder it adds that folder to the path. The path is stored in a variable, but I'd like to allow the user to be able to go down multiple directories at once. To do this I'm going to seperate each folder name in the path and link to it so as an example: $path = './home/public_html/folder1/folder2'; how can I separate each of those so I can make a link to that folder so that: /home goes to $path = './home/'; /public_html goes to $path = './home/public_html'; etc... --- Basically just seperate the slashes into an array and seperate each of them off based on how far along it is but I don't know how to do that... Ok. So I just started using prepared statements. One issue I ran into is that after inserting say "abc's" into the table with a prepared statement when I read that row and display it, it shows as abc\'s I have to use stripslashes on the variable before displaying it. I thought that with magic quotes. off this would not be a problem. Am I going to have to strip slashes on all fields now? Is there another way around it? here is my phpinfo for reference magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off And compile options Configure Command './configure' '--host=i686-redhat-linux-gnu' '--build=i686-redhat-linux-gnu' '--target=i386-redhat-linux' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-expat-dir=/usr' '--with-pcre-regex=/usr' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-track-vars' '--enable-trans-sid' '--enable-yp' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--enable-memory-limit' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--without-mime-magic' '--without-sqlite' '--with-libxml-dir=/usr' '--with-xml' '--with-mhash=shared' '--with-mcrypt=shared' '--with-apxs2=/usr/sbin/apxs' '--without-mysql' '--without-gd' '--without-odbc' '--disable-dom' '--disable-dba' '--without-unixODBC' '--disable-pdo' '--disable-xmlreader' '--disable-xmlwriter' '--disable-json' Thanks JT Hi all, I've been having some trouble with the whole slashes and apostrophy situation. When the user enters into the database locally they can enter in apostophies no problem and it outputs on the site no problem. When the user edits the data it then alters it and removes apostrophies from the headline field, not the text editor field (tinyMCE). However, when I test it on the web (it's secured so I am unable to provide a link), there are more problems, those being that when it enters into the database it adds slashes where there are apostrophies but doesn't do this locally... Could this by a PHP version issue? Version 5.3.5 on the web and 5.3.1 locally. In addition when the you come to edit the data all of the apostropies and following letter have been removed and slashes put in their place. But as I say this doesn't happen locally.. Here is the insert statement: <?php require_once('auth.php'); ?> <?php $host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $newsHeadline = $_POST['newsHeadline']; $newsContent = $_POST['newsContent']; $query = "INSERT INTO news (newsDate, newsHeadline, newsContent) VALUES ('".date("l"." "."j"." "."F"." "."Y")."','".mysql_real_escape_string($newsHeadline)."','".mysql_real_escape_string($newsContent)."')"; if(mysql_query($query)) { echo "News successfully inserted.<br/><a href='addNews.php'>Back to main page</a><br/>"; }else echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>"; // close connection mysql_close(); ?> Here is the php to output the text // while there are rows to be fetched... while ($list = mysql_fetch_assoc($resultSelectNewsData)) { // echo data echo "<div class='newsArticle'><p class='newsHeadline'>"; echo stripslashes ($list['newsHeadline']); echo "<br /><span class='nDate'>Posted on: ".$list['newsDate']."</span></p><div class='newsContent'><p>"; echo stripslashes ($list['newsContent']); echo "</p></div><!--news content end--><br /></div><!--news article end-->"; } // end while Here is the PHP to view the data ready to edit: <?php require_once('auth.php'); ?> <?php $pagetitle = "Langbaurgh Sunday League";?> <?php include("includesAdmin/header.php");?> <?php include("includesAdmin/nav.php");?> <div id="mainContentAdmin"> <h1>Admin Panel</h1> <?php // Make a MySQL Connection $newsID=$_GET['newsID']; //Query to join tables and obtain team names linked to IDs $sql2= mysql_query ("SELECT * FROM news WHERE newsID = '$newsID'")or die(mysql_error()); echo "<form name='editDetails' method='post' action='php_update_news_item.php'>"; $row = mysql_fetch_array($sql2); // Print out the contents of each row echo "<input type='hidden' name='newsID' id='newsID' size='15' value='".$row['newsID']."'/>"; echo"News Headine: <br /><input type='text' name='newsHeadline' id='newsHeadline' size='40' value='".$row['newsHeadline']."'/><br />"; echo"News Story: <br /><textarea name='newsContent' id='newsContent' cols='50' rows='15'>".$row['newsContent']."</textarea>"; echo "<input type='submit' name='submit' value='Update News Story'/>"; mysql_close(); ?> </div><!--contentAreaEnd--> <?php include("includesAdmin/footer.php");?> Here is the file to update the data <?php require_once('auth.php'); ?> <?php $host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $newsID = $_POST['newsID']; $newsHeadline = $_POST['newsHeadline']; $newsContent = $_POST['newsContent']; $query = "UPDATE news SET newsHeadline='".mysql_real_escape_string($newsHeadline)."', newsContent='".mysql_real_escape_string($newsContent)."' WHERE newsID='".mysql_real_escape_string($newsID)."'"; if(mysql_query($query)) { echo "News successfully updated.<br/><a href='view_news_id.php'>Back to news viewing</a><br/>"; }else echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>"; // close connection mysql_close(); ?> All help would be massively appreciated as I am really stuck with this. I've tried all sorts including stripslashes, trim, a combination of both, yet I hit snags with each one of them.. Many thanks in advance, Aidan Hi all, I have an issue on a form that when it gets submitted a slash '/' appears before every quote symbol. I had help solving the issue on one of the fields (the name field), but then later it was discovered that the slashes appear in all the fields whenever a quote was used (agreed, poor testing). Can someone be so good to help me solve this? My php knowledge is not so great which is exactly why I'm asking here Please see my code below. If this problem can be solved in the same manner as the name field was solved, then there are 2 files which will need the edits. They are below: (some trivial information purposely removed for security reasons) preview.php <div id="card"> <img id="logo" src="logo.jpg" /> <div id="card1"><?php echo stripslashes($_REQUEST['text1']); ?> </div> <div id="card2"><?php echo $_REQUEST['text2']; ?> </div> <div id="card3"><?php echo $_REQUEST['text3']; ?> </div> <?php if($_REQUEST['text4'] != '' && $_REQUEST['text5'] != '') $text = $_REQUEST['text4'].' • '.$_REQUEST['text5']; else $text = $_REQUEST['text4'].$_REQUEST['text5']; ?> <div id="card4"><?php echo $text; ?> </div> <div id="card5"><?php echo $_REQUEST['text6']; ?> </div> </div> second_form.php <?php session_start(); $db_host = 'localhost'; $db_name = ''; $db_user = ''; $db_pass = ''; $admin_email = "admin@aserver.com"; if(isset($_REQUEST['text1'])) $_REQUEST['text1'] = stripslashes($_REQUEST['text1']); $from = 'orders@mycompany.com'; if($_REQUEST['count'] != '50' && $_REQUEST['count'] != '100') { header( 'Location: order.php' ); die(); } $card_number = trim($_REQUEST['card_number']); $card_security = $_REQUEST['card_security']; $card_exp_m = sprintf("%02d",((int)$_REQUEST['car_exm_m'])%100); $card_exp_y = sprintf("%02d",((int)$_REQUEST['car_exm_y'])%100); $count = $_REQUEST['count']; $shipping = 8.65; $price = $shipping; switch($count) { case 50: $price += 25; break; case 100: $price += 38; break; } //$price = 0.01; //$shipping = 0.01; $price = sprintf("%0.2f",$price); $fd_xsd = 'http://***'; $v1_xsd = 'http://***'; $a1_xsd = 'https://***'; //$email_rep = str_replace('@','[at]',$_REQUEST['text4']); $soap = <<<SOAP <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header /> <SOAP-ENV:Body> <fdggwsapi:FDGGWSApiOrderRequest xmlns:fdggwsapi="$fd_xsd" xmlns:v1="$v1_xsd"> <v1:Transaction> <v1:CreditCardTxType> <v1:Type>sale</v1:Type> </v1:CreditCardTxType> <v1:CreditCardData> <v1:CardNumber>$card_number</v1:CardNumber> <v1:ExpMonth>$card_exp_m</v1:ExpMonth> <v1:ExpYear>$card_exp_y</v1:ExpYear> </v1:CreditCardData> <v1:Payment> <v1:ChargeTotal>$price</v1:ChargeTotal> <v1:Shipping>$shipping</v1:Shipping> </v1:Payment> <v1:Billing> <v1:Name>{$_REQUEST['text1']} - {$_REQUEST['text2']} - {$_REQUEST['text3']}</v1:Name> <v1:Email>{$_REQUEST['text4']}</v1:Email> <v1:Phone>{$_REQUEST['text5']}</v1:Phone> <v1:Address2>{$_REQUEST['text5']}</v1:Address2> <v1:Address1>{$_REQUEST['text6']}</v1:Address1> </v1:Billing> <v1:Shipping> <v1:Name>{$_REQUEST['info_name']}</v1:Name> <v1:Address1>{$_REQUEST['info_street']} {$_REQUEST['info_APT']}</v1:Address1> <v1:City>{$_REQUEST['info_city']}</v1:City> <v1:State>{$_REQUEST['info_state']}</v1:State> <v1:Zip>{$_REQUEST['info_zip']}</v1:Zip> </v1:Shipping> </v1:Transaction> </fdggwsapi:XXXApiOrderRequest> </SOAP-ENV:Body> </SOAP-ENV:Envelope> SOAP; // echo htmlentities($soap); $link = "https://ws.firstdataglobalgateway.com/****"; $store_id = "***"; $user_id = "***"; $pass = "***"; $key_pass = "***"; $uss_pass = ('WS'.$store_id.'***:'.$pass); $path = "/home/hoster/ssl_firstdata/"; $pem_path = $path . "***.pem"; $key_path = $path. "***_.1.key"; $ch = curl_init($link); curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: text/xml") ); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);curl_setopt($ch, CURLOPT_USERPWD, $uss_pass); curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, $soap); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSLCERT, $pem_path);//pem file curl_setopt($ch, CURLOPT_SSLKEY, $key_path); // crt file curl_setopt($ch, CURLOPT_SSLKEYPASSWD, $key_pass); $res = curl_exec($ch); //$xml = simplexml_load_string('<?xml version="1.0" encoding="UTF-8"? >'.$res); $xml = simplexml_load_string('<?xml version="1.0" encoding="UTF-8"?>'.$res); $ch = $xml->children('SOAP-ENV',true);$ch = $ch[1];$ch = $ch->children('fdggwsapi',true);$response = $ch[0]; $orderId = trim((string)$response->OrderId); mysql_connect($db_host , $db_user, $db_pass); if(!mysql_select_db($db_name)) { echo "Create the database please"; exit; } $result = array( 'Order Number' => $orderId, 'errorMessage' => (string)$response->ErrorMessage, 'response' => $res, "\n\nv_name" => $_REQUEST['text1'], 'v_degree' => $_REQUEST['text2'], 'v_graduation' => $_REQUEST['text3'], 'v_email' => $_REQUEST['text4'], 'v_phone' => $_REQUEST['text5'], 'v_address' => $_REQUEST['text6'], "\n\nOrder Details" => "\n", 'v_quantity' => $_REQUEST['count'], 'cost' => ($_REQUEST['count'] == '50' ? '$25.00' : '$38.00'), 'shipping and handling' => '$8.65', 'total price' => ($_REQUEST['count'] == '50' ? '$33.65' : '$46.65'), "\n\nShipping Information" => "\n", 'name' => $_REQUEST['info_name'], 'street' => $_REQUEST['info_street'], 'apt' => $_REQUEST['info_APT'], 'city' => $_REQUEST['info_city'], 'state' => $_REQUEST['info_state'], 'zip' => $_REQUEST['info_zip'] ); if(strlen($orderId) != 0 && strpos((string)$response->ErrorMessage,'database error') === false)//success { $result['success'] = 1; $link = 'order.php?step=3'; $subject = "order submitted"; } else { $result['success'] = 0; $link = 'order.php?step=-3'; $subject = "Error occured while creating order"; } $_SESSION['data'] = $result; $into = array(); $values = array(); foreach($result as $key => $val) { $into[] = "`$key`"; if($key == 'v_quantity') $values[] = addslashes ($val); else $values[] = "'".addslashes($val)."'"; } $query = "INSERT INTO `***`.`orders` (".implode(', ',$into).") VALUES (".implode(', ',$values).");"; require_once "send_mail.php"; $sendTo = array($admin_email,$result['v_email']); send_mails($sendTo,$from,$subject,$result); mysql_query($query); header('Location: '.$link); exit; function render() { global $res,$xml; // var_dump($_REQUEST); // echo $res; // echo htmlentities($res); /* */ var_dump($xml); } ?> Hi, I need to analyze a string and get the text between, before, and after the forward slashes.. The string will always look something like this, but will vary: $str = "I will go to the store with <# one/two/three #> people." Then I need to create a form with radio buttons for each choice. In this case (one, two, or three). The text between the <# ... #> could be different every time, and with uknown amount of forward slashes. Here is what I have so far but it doesn't work. Code to find if there are slashes: Code: [Select] preg_match_all( '/([/]+)/',$str,$matches); Code to create html form .. Code: [Select] $i = 0; $html = '<form>'; foreach ($matches[0] as $match){ if ($pos = strpos( $str,$match ) ) === false ) continue; } $html .= '<input type="radio" name="place-' . $i . '" value=". $match . '" /> '; } $html .= '</form>'; Its not working as needed. I'm not sure how to create radio button choices for the words (one, two, three). Thanks Hi everyone I am trying to secure some of my code using a sanitize function function sanitize($data) { $cdata = strip_tags(addslashes($data)); $cdata = mysql_real_escape_string($cdata); return $cdata; } If I post a form value such as Code: [Select] 'Apple iPod' to a SQL INSERT QUERY using `title` = sanitize($_POST['title']); then my database value looks like Code: [Select] \\\'the ipod\\\' this is odd because there is 3 slashes if I then print that value on a PHP page using print stripslashes($row['title']); it outputs Code: [Select] \'the ipod\' Why can I not get rid of the slashes and why would it be outputting 3 slashes? I have tried all the magic quote ideas and suggestions, but still cannot sort this out. Thanks John i have a php form where users can update db. but when the input has a <a href=""></a> input, it generates back slashes on the web. below is the results after the input. Code: [Select] <a href=\'\\\"images/gallery/storyslideshow/ppic-5 (1).jpg\'\\\" rel=\'\\\"lyteshow[featgallery]\'\\\" title=\'\\\"\'\\\">View Slideshow</a><br><br> i have a this on my updating code Code: [Select] mysql_real_escape_string($_POST["fulldesc"]); Simple question about slashes. If a user uses slashes in their text will all of them be removed using 'stripslashes' function or only the ones that have the ' to the right of the slashes. ? sorry posted before its time..... peoples names like... o'grady o'murphy shows on the screen as o\'grady and o\'murphy I have various elements of a form template stored in the database. When i retrieve them with _fetch_object and then insert them into a different table the slashes get removed. I need the slashes intact because these are eventually read with eval(). Is there a specific field type I can use? How do i keep the slashes there? I need it to stay just like it is. I'm using PHP/Mysql I put this in: <table><tr><td width=\"658\" id=\"center\"><input type=\"text\" name=\"line_item[]\" value=\"$field1\" size=\"6\" maxlength=\"13\" class=\"Standard\" id=\"PageLine\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field2\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field3\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field4\" /><input type=\"hidden\" name=\"line_item[]\" value=\"$field5\" /></td></tr></table> Then when it gets retrieved and re-inserted I get this: <table><tr><td width="658" id="center"><input type="text" name="line_item[]" value="$field1" size="6" maxlength="13" class="Standard" id="PageLine" /><input type="hidden" name="line_item[]" value="$field2" /><input type="hidden" name="line_item[]" value="$field3" /><input type="hidden" name="line_item[]" value="$field4" /><input type="hidden" name="line_item[]" value="$field5" /></td></tr></table> So I am trying to download an image created with my php script. I use the following for the download: Code: [Select] <?php session_start(); $filename = $_SESSION['imgOut']; header('Content-type: application/octet-stream'); header('Content-Disposition: attachment; filename='.$filename ); ?> The file downloads however instead of downloading "example.jpg" from the /temp folder , it downloads "temp_example.jpg" which of course is an empty file. I am sure I am approaching this the wrong way, any suggestions? So I built a form and if anyone puts // in the text area field named Code: [Select] name="background" it won't work... it fails. This prevents users from entering website URLs, which is an issue since the form is related to website design. I think I have everything else working just fine. Any ideas how I can change this so it will work and allow // ? There may be other things that cannot be entered or maybe a security risk I am missing... here is the code... Code: [Select] <?php // version 2.2 // All placeholders that are used such as {yourEmail@yourDomain.com}, {yourSolve360Token}, {ownership}, // {categoryId}, {templateId} should be replaced with real values without the {} brackets. // REQUIRED Edit with the email address you login to Solve360 with define('USER', 'me@me.com'); // REQUIRED Edit with token, Workspace > My Account > API Reference > API Token define('TOKEN', 'itentionallydeleted'); // Get request data $requestData = array(); parse_str($_SERVER['QUERY_STRING'], $requestData); // Configure service gateway object require 'Solve360Service.php'; $solve360Service = new Solve360Service(USER, TOKEN); // // Preparing the contact data // $contactFields = array( // field name in Solve360 => field name as specified in html form 'firstname' => 'firstname', 'lastname' => 'lastname', 'businessemail' => 'businessemail', 'cellularphone' => 'cellularphone', 'background' => 'background', ); // kill form if spammers use the siteURL field if ( $_GET['url'] != '' || $_GET['firstname'] == 'Your Name' || $_GET['businessemail'] == 'Email Address' ) {header("Location: http://www.openpotion.com/new/error");} else { $contactData = array( // OPTION Apply category tag(s) and set the owner for the contact to a group // You will find a list of IDs for your tags, groups and users in Workspace > My Account > API Reference // To enable this option, uncomment the following: // Specify a different ownership i.e. share the item 'ownership' => 18634876, // Add categories 'categories' => array( 'add' => array('category' => array(18660073)) ), ); // adding not empty fields foreach ($contactFields as $solve360FieldName => $requestFieldName) { if ($requestData[$requestFieldName]) { $contactData[$solve360FieldName] = $requestData[$requestFieldName]; } } // // Saving the contact // // Check if the contact already exists by searching for a matching email address. // If a match is found update the existing contact, otherwise create a new one. // $contacts = $solve360Service->searchContacts(array( 'filtermode' => 'byemail', 'filtervalue' => $contactData['businessemail'], )); if ((integer) $contacts->count > 0) { $contactId = (integer) current($contacts->children())->id; $contactName = (string) current($contacts->children())->name; $contact = $solve360Service->editContact($contactId, $contactData); } else { $contact = $solve360Service->addContact($contactData); $contactName = (string) $contact->item->name; $contactId = (integer) $contact->item->id; } if (isset($contact->errors)) { // Mail yourself if errors occur mail( USER, 'Error while adding contact to Solve360', 'Error: ' . $contact->errors->asXml() ); die ('System error'); } else { // Mail yourself the result mail( USER, 'A new sales lead has been posted to Solve360', 'Contact "' . $contactName . '" https://secure.solve360.com/contact/' . $contactId . ' was posted to Solve360', 'From: noreply@openpotion.com' . PHP_EOL . 'Reply-To: ' . $contactData['businessemail'] . PHP_EOL . 'X-Mailer: PHP/' . phpversion() ); } // // OPTION Adding a activity // /* * You can attach an activity to the contact you just posted * This example creates a Note, to enable this feature just uncomment the following request * */ /* // Preparing data for the note $noteData = array( 'details' => nl2br($requestData['note']) ); $note = $solve360Service->addActivity($contactId, 'note', $noteData); // Mail yourself the result mail( USER, 'Note was added to "' . $contactName . '" contact in Solve360', 'Note with id ' . $note->id . ' was added to the contact with id ' . $contactId ); // End of adding note activity */ // // OPTION Inserting a template of activities // /* * You can also insert a template directly into the contact you just posted * You will find a list of IDs for your templates in Workspace > My Account > API Reference * To enable this feature just uncomment the following request * */ /* // Start of template request $templateId = {templateId}; $template = $solve360Service->addActivity($contactId, 'template', array('templateid' => $templateId)); // Mail yourself the result mail( USER, 'Template was added to "' . $contactName . '" contact in Solve360', 'Template with id ' . $templateId . ' was added to the contact with id ' . $contactId ); // End of template request */ header("Location: http://www.website.com/thank-you"); } ?> Thanks a ton in advance! Jason [attachment deleted by admin] Alright, so I just started picking up PHP again and I have a pretty simple question. I have a html form that takes a string then writes it on another page. My problem is when I use quotations I'll get slashes in them on the page it writes the string on. Is there a way to clean that stuff up? hi i been working on this code witch will add what ever text i want to my database all is working great but what i am having problems with is inserting a url in the same field as vidID it will look like this in the database hxxp://xxx.mysitehere.com/index.php?vid=vidID hope you guys know what im talking about im having a hard time explaining it sorry. Code: [Select] <?php $host="xxxxx"; $username="xxxxxxx"; $password="xxxxxxx"; $db_name="xxxxxxx"; $tbl_name="xxxxxxx"; $message = strtoupper(trim($_REQUEST['message'])); $sender = strtoupper(trim($_REQUEST['sender'])); $email = strtolower(trim($_REQUEST['email'])); $vidID =$_REQUEST['vidID']; mysql_connect("$host", "$username", "$password")or die("cannot connect server "); mysql_select_db("$db_name")or die("cannot select DB"); $sql="INSERT INTO $tbl_name(message,sender,email,vidID)VALUES('$message','$sender', '$email', '$vidID')"; $result=mysql_query($sql); ?> |
|||||||