escape characters in text variables

Forum Moderators: coopster

Message Too Old, No Replies

escape characters in text variables

escape characters problem with text passed to sql

huds

12:05 am on Feb 2, 2006 (gmt 0)

My problem is that I have an admin page with a form that passes text to a mysql db.

Anytime I put a ' in the text the script returns an error, and I have to escape the character before it works.

here's the code...

$maintextdata = $_POST["editmaintext"];

$pagename = $_POST["replacedata"];

echo $pagename;

$sqlmaintext = "UPDATE menu SET maintext = '$maintextdata' WHERE linktext = '$pagename' LIMIT 1";

I assumed it had something to do with my syntax, again, but I've tried different ways with no success, and some worse scenarios where i had to escape " and , aswell as '.

Any help is much appreciated.

nearly forgot, the script works fine on another server, could it be a problem with my current server's php version? which is 4.3.11-1.fc2.3.legacy, as far as i know.

Salsa

1:23 am on Feb 2, 2006 (gmt 0)

Use addslashes() before you put the text into the database and stripslashes() after you take it out.

coopster

2:29 pm on Feb 2, 2006 (gmt 0)

Also have a look at both servers configuration settings for magic_quotes [php.net]. There is a security thread in our PHP Forum Library that addresses this issue as well.

huds

6:58 pm on Feb 2, 2006 (gmt 0)

Thanks a million.