1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:23 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

preg_replace messes up mysql_real_escape_string

Why it should matter is beyond me

         

MatthewHSE

4:52 pm on Jun 19, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm working on a form processing script. In the interest of security, I'm stripping out any non-expected data from all text fields, using preg_replace(). The problem is that when I want to use mysql_real_escape_string() on the submitted data later, it fails. Here's the relevant code in question:

On the form page: 

<input type="text" name="TextField">

In the processing script: 

<?php
include('/path/to/DatabaseConnect.php');
CheckTextboxes('TextField');
$TextFieldEscaped = mysql_real_escape_string($_SESSION['TextField']);
mysql_query("INSERT INTO TableName SET TextField='$TextFieldEscaped';");
 
function CheckTextboxes ($FieldName) {
  $fv = $_POST[$FieldName];
  $fv = preg_replace("/[^@\w\d\?\"\'\.\,\ \_\-]/", "", $fv);
  $_SESSION[$FieldName] = $fv;
}
?>

The purpose of the CheckTextboxes() function is to strip out unwanted characters (anything not listed in the regex) from the POST'ed data and add the data to a session. I then retrieve the data from the session and add it to the database (only using the session in the first place because I'll also want the data later on).

When using the code as shown above, Line 3 doesn't seem to work, meaning unescaped data is being inserted into the database. If I comment out the preg_replace line from the CheckTextboxes function, the data DOES get escaped properly.

There's got to be a reason for this, but it's beyond me. Anybody have an idea on what's going on here?

eelixduppy

5:05 pm on Jun 19, 2006 (gmt 0)



Hmmm...interesting. Try adding error_reporting(E_ALL); to the top of the script to see if any errors are thrown. You could also use str_replace [us3.php.net]. By the way, your query string should NOT end with a semicolon.

MatthewHSE

6:08 pm on Jun 19, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks for the tips. I added the error_reporting(E_ALL) to the script, but it didn't report anything but a few missing index errors (which I expected because I haven't totally finished this thing yet). None of them, incidentally, related to the field in question.

This is such a strange error to have happening. I mean, the preg_replace and mysql_real_escape_string lines are both dealing with strings. They should both modify the string independently of one another. But that doesn't seem to be the case.

coopster

6:11 pm on Jun 19, 2006 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



What are your magic quotes directives set to?

eelixduppy

6:16 pm on Jun 19, 2006 (gmt 0)



Interestingly enough, this works for me:

<?php
session_start();
$link = mysql_connect("localhost","username","password");
mysql_select_db("test");
CheckTextboxes(addslashes('Mom & Pa %%* said "You eat" that dinner!'));//simulate magic_quotes...the slashes get removed by the preg_replace (i think)
$TextFieldEscaped = mysql_real_escape_string($_SESSION['test']);
$query ="INSERT INTO TableName SET TextField='$TextFieldEscaped'";
echo $query; // echos INSERT INTO TableName SET TextField='Mom Pa said \"You eat\" that dinner'

function CheckTextboxes ($str) {
$fv = $str;
$fv = preg_replace("/[^@\w\d\?\"\'\.\,\ \_\-]/", "", $fv);
$_SESSION["test"] = $fv;
}
?>

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:23 am May 2, 2026