...

View Full Version : ucfirst Doesn't Appear To Work



tomyknoker
02-25-2008, 09:56 PM
I have added the ucfirst function, however it doesn't affect the entries they still come in as lowercase as the first letter...


$name = stripslashes(ucfirst($_POST['name']));

_Aerospace_Eng_
02-25-2008, 10:00 PM
Then you are likely making them lowercase again elsewhere. Post the rest of your code.

tomyknoker
02-25-2008, 10:02 PM
Ha you were right ;) before they get inserted into the db I have this on each one...
$name = mysql_real_escape_string($_POST['name']);, But I was told to use that as I was having issues with slashes etc...

_Aerospace_Eng_
02-25-2008, 10:08 PM
You should use that yes. First you need to disable magic_quotes_gpc or you get data that is escaped twice and has extra slashes when it comes back.

<?php
ini_set('magic_quotes_gpc','0');
$name = mysql_real_escape_string(ucfirst($_POST['name']));
?>

tomyknoker
02-25-2008, 10:24 PM
Sorry a bit confused, ok so initially when I get the post data, I add the 'stripslashes', which does this... If the user types 'John M'Gine', it doesn't add the 'John M'/Gine'... I don't get what the secod part does?


<?php
ini_set('magic_quotes_gpc','0');
$name = mysql_real_escape_string(ucfirst($_POST['name']));
?>

_Aerospace_Eng_
02-25-2008, 10:30 PM
You don't need stripslashes if magic_quotes_gpc is off. The second part escapes the data before going into the database. Its the whole reason it was made. Without it you are open to mysql injection and if done properly someone could retrieve whatever data they want from your database. With mysql_real_escape_string they can't because any characters they put in are escaped. Learn to read the php manual. Using a function without knowing why or how it works isn't a wise thing to do.

tomyknoker
02-28-2008, 12:43 AM
Hi there thanks for the info, I do read the php.net manual, but apologies as sometimes I don't fully understand what it means, is it not ok to then ask questions in a forum?

So I think I have a better understanding, let me see if I have this right... magic_quotes_gpc essentially does what addslahes() does, which is needed to be done for binary data to be added into the database which has "'" for example? But this is a really bad way of getting attacked? So better to turn it off and use the mysql_real_escape_string? IS it better to always have 'magic_quotes_gpc' off? Is it on by default?

Ultragames
02-28-2008, 01:25 AM
Magic quotes may be on by default on your host server, but they shouldn't be. They are such a pain in the *** that they have been removed from future versions of PHP. See the page on magic_quotes (http://us3.php.net/magic_quotes)

As for mysql_real_escape_string, always use it! As others said, it escapes characters that if left unescaped could break your queries, or even allow users to change or extract data.

Now as for your original question, mysql_real_escape_string does not effect casing, so it should not have anything to do with ucfirst. Here is your problem:


$name = stripslashes(ucfirst($_POST['name']));
$name = mysql_real_escape_string($_POST['name']);

You are overwriting the $name variable. Try this:


$name = stripslashes(ucfirst($_POST['name']));
$name = mysql_real_escape_string($name);



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum