Forum Moderators: coopster
I have a form that the user will update and then submit to the DB, unfortunately these fields might and most likely will contain quotes, slashes, and the like. I know I must use something like addslashes, htmlspecialchars, or mysql_escape_string. But I am not sure which, and if they mus go in the form or update script, and exactly where they would posted. Any help is greatly appreciated and thanks in advance. Oh and I have a shared server with magicquotes on. EDIT: And I should add, that without any of the three above listed inserted into the script, I get a query failed error and the DB doesn't update, with one of the three inserted somehwere where I THINK they should go, I get a blank page after submitting and the DB doesn't update.
Here is the form itself:
{
$name = $_GET['select'];
}
{
$charquery = "SELECT * FROM characters WHERE charactername='$name'";
$charresult = mysql_query($charquery, $con) or die("query [$charquery] failed: ".mysql_error());
}
while ($row = mysql_fetch_assoc($charresult))
{
echo '<p>Please change the relevant fields below and submit to update your information.</p>';
echo '<form method="post" action="index.php?name=Sg_roster&file=update&&select='.$name.'">';
echo '<table align="center">';
echo '<tr valign="baseline">';
echo '<td nowrap align="left">Hero ID:</td>';
echo '<td><input type="text" name="ud_charactername" value="'.$row['charactername'].'"></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td nowrap align="left">Secret ID:</td>';
echo '<td><input name="ud_secretid" type="text" value="'.$row['secretid'].'" size="35" maxlength="55"></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td nowrap align="left">Security Level:</td>';
echo '<td><input name="ud_level" type="text" value="'.$row['level'].'" size="2" maxlength="2"></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td align="left" valign="middle" nowrap>Supergroup:</td>';
echo '<td><input name="ud_sg" type="text" id="sg" value="'.$row['sg'].'" maxlength="75"></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td align="left" valign="middle" nowrap>Background:</td>';
echo '<td><textarea name="ud_background" cols="50" rows="10" wrap="virtual">'.$row['background'].' </textarea></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td nowrap align="left">This is NOW my: :</td>';
echo '<td valign="baseline"><table>
<tr>
<td width="90"><input type="radio" name="ud_main" value="Main" >
Main:</td>
<td width="91"><input type="radio" name="ud_main" value="ALT" />
ALT:</td>
</tr>';
echo '</table></td>';
echo '</tr></td>';
echo '</tr>';
echo '<tr valign="baseline">';
echo '<td nowrap align="left"> </td>';
echo '<td><input name="submit" type="submit" id="submit" value="Update Hero"></td>';
echo '</tr>';
echo '</table>';
echo '</form>';
}
mysql_free_result($characters);
And here is the update script:
{
$name = $_GET['select'];
}
$ud_charactername=$_POST['ud_charactername'];
$ud_secretid=$_POST['ud_secretid'];
$ud_level=$_POST['ud_level'];
$ud_sg=$_POST['ud_sg'];
$ud_main=$_POST['ud_main'];
{
echo stripslashes($query);
}
$query="update characters SET charactername='".$ud_charactername."', secretid='".$ud_secretid."', level='".$ud_level."', sg='".$ud_sg."', main='".$ud_main."' WHERE charactername='".$name."'";
$checkresult = mysql_query($query);
echo $query;
if ($checkresult) echo 'update query succeeded';
else echo 'update query failed';
mysql_close();
I've been banging my head on this for a few days, thanks again. Oh and is it obvious I have no idea what I'm doing? :)
$ud_sg=[url=http://us2.php.net/manual/en/function.htmlspecialchars.php]htmlspecialchars[/url]($_POST['ud_sg'], ENT_QUOTES, 'UTF-8');"This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application. The optional second argument, quote_style, tells the function what to do with single and double quote characters. The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated. If ENT_QUOTES is set, both single and double quotes are translated and if ENT_NOQUOTES is set neither single nor double quotes are translated."
Unfortunately I did as was suggested and I'm still getting a 1064 error, when I ran the query in phpMyadmin here was I got in return.
SQL query:
INSERT INTO characters
SET charactername = Captain Vanguard,
secretid = Todd Wheaton,
LEVEL =37,
sg = The Minutemen,
background = Captain Van 'gyrd was the greatest protector of his galaxy. For a thousand years his home knew hope, safety, and peace but Van'gyrd made many mortal enemies IN his millennia - longreign AS his galaxy 's sole-protector. Betrayed by someone close to him, he was mystically imprisoned inside an artifact that was hidden on the planet Earth, thousands of years ago. The artifact, a pair of golden bracelets, were found in 2006 by an acrheologist, who discovered that whoever possesses the artifact can switch places with the mighty alien warrior. In times of need archeologist Todd Wheaton mentally opens a gateway and trades places with Captain Vanguard, so that he may protect the citizens of Paragon City. Being a stranger to 21st Century Terran culture, Captain Vanguard will occassionaly mix up his cliche's AND metaphors . ,
main = Main WHERE charactername = Captain Vanguard
MySQL said: Documentation
#1064 - You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'Vanguard, secretid=Todd Wheaton, level=37, sg=The Minutemen, ba
I know it has something to do with the specific text I am inserting into a particular field, when I enter the text as long as it doesn't have single quotes in it, the query will succeed.
$query="update characters SET charactername='$ud_charactername', secretid='$ud_secretid',etc...(I remove the quote/concat indicators and just included the values within single quotes.)
<edit>
The error you're getting starts at the first spacebar char, not a single quote, which indicates that the variable values are not being passed correctly. Including the variable within single quotes maintains their object references. Your query should end up like: [ charactername = 'Captain Vanguard', ] rather than: [ charactername = Captain Vanguard, ]
<edit><edit>
D'oh! Actually, it looks like there may be an error in your implementation of htmlspecialchars ... there should be no single quotes in the query values if you used ENT_QUOTES, because they all would have been rendered as entities, but it's tough to tell if you're using PHPMyAdmin, because everything gets rendered to the browser ... so I'd check that, too.
[edited by: StupidScript at 9:19 pm (utc) on April 11, 2007]
{
$name = $_GET['select'];
}
...
{
echo stripslashes($query);
}There are a couple of reasons to use curly brackets, but this use of them is unfamiliar to me. You could do without them in both of those instances:
$name = $_GET['select'];
echo stripslashes($query);And the echo statement is premature ... it comes before $query has been defined (I know it's just for debugging ...)
[edited by: StupidScript at 10:02 pm (utc) on April 11, 2007]
Ok now that I've settled down. Thanks for the welcome I've been a fan here for awhile. Most of my meager PHP knowledge has come from reading here. To answer your first question. The brackets..well reading through the books I have, and looking at other's scripts, it seemed like the thing to do. They're for THEN statements right? So yeah having htem there wouldn't make much sense.
So I got rid of those and got rid of the echo statement before stripslashes and cleaned up the code as you suggested. And the updates are working fine near as I can tell. Thanks so much for all your help SS. Now hopefully I can get these last two problems figured out on my own, and then I'll be done with this.
