Posting ' in forms

[RFH Reseller: Space Cowboy]

Im having trouble posting ' (commers) within my php forms that send data to a database.
Can anyone help with this?

[RFH Reseller: schofieldandwhite]

prefix the apostrophe (') with a backslash, like so: \'

[Staff: Warren Ashcroft]

Im having trouble posting ' (commers) within my php forms that send data to a database.
Can anyone help with this?

This is known as SQL injection, and it VERY bad.

For example on a login screen, if you do not protect against SQL injection...

Username: anything
Password: anything' OR 1=1--

Code:

PHP Code:

$sql = "SELECT * FROM tblLogin WHERE username = '" . $_POST["username"] . "' AND password = '" . $_POST["password"] . "'; 


The SQL query is turned into:

SELECT * FROM tblLogin WHERE username = 'anything' AND password = 'anything' OR 1=1--'

The -- is standard SQL for "ignore rest of query", therefore the last ' is ignored, and as you can see the resulting query will always bring back a result and therefore you have a hole in your login system.

A similar sort of thing applies to UPDATE queries, like you are having problems with.

More info:
http://en.wikibooks.org/wiki/Program...:SQL_Injection

[RFH Reseller: nick]

Im having trouble posting ' (commers) within my php forms that send data to a database.
Can anyone help with this?

you need to make sure any user input data is appropriately escaped, so that it cannot break your sql.
Assuming you are using MySQL, the easiest way in php is just to call mysql_real_escape_string() on any user input you are passing to the db.
check the PHP manual for more information on it.

[RFH Reseller: Space Cowboy]

Code:

//-----INSERT THE TOPIC INTO DATABASE-----
		$Query1 = "INSERT INTO forum_topics (FORUM_ID, T_SUBJECT, T_MESSAGE, T_AUTHOR, T_LAST_POST, T_DATE, T_IP, T_LAST_POST_AUTHOR)
		VALUES ('$ForumID','$subject','$postedValue','{$_COOKIE['MEMBER_ID']}','$timestamp','$timestamp','$ip','{$_COOKIE['MEMBER_ID']}')";
		$result = mysql_query ($Query1);
		$NewTopicID = mysql_insert_id();

this is my php code that will insert the contents of my form into the database.
So what do I do to this so that it will escape anyone typing a comma in?

[RFH Reseller: Space Cowboy]

actually ive done it!
cheers guys!

[RFH Reseller: nick]

actually ive done it!
cheers guys!

Nice one! I might as well post this anyway... I have just taken the quote_smart function from the php manual, so assuming $ForumID, Member_id and timestamp are integer:

PHP Code:

function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

//-----INSERT THE TOPIC INTO DATABASE-----
        $Query1 = sprintf("
            INSERT
                INTO forum_topics
                   (FORUM_ID,        T_SUBJECT,    T_MESSAGE,    T_AUTHOR,
                    T_LAST_POST,    T_DATE,        T_IP,        T_LAST_POST_AUTHOR)
                VALUES
                    (%d,%s,%s,%d,%d,%d,%s,%d);",
                    $ForumID,//FORUM_ID
                    quote_smart($subject),//T_SUBJECT
                    quote_smart($postedValue),//T_MESSAGE
                    $_COOKIE['MEMBER_ID'],//T_AUTHOR
                    $timestamp,//T_LAST_POST
                    $timestamp,//T_DATE
                    quote_smart($ip),//T_IP
                    $_COOKIE['MEMBER_ID']//T_LAST_POST_AUTHOR
                    );
                            
        $result = mysql_query ($Query1);
        $NewTopicID = mysql_insert_id();