...

View Full Version : Delete Entry that has apostrophe



thilss0o
12-23-2010, 07:57 PM
Its the simple addslashes function, but for some reason this is acting differently than usual.

I'm having no trouble inserting values that have an apostrope
' or quotations
"

I'm inserting them with this escape
$news = mysql_real_escape_string($_POST['news']); even though they seem to go through without the escape... and they don't show up in the database with back slashes

so when i go to delete, it just doesn't process

heres my process page


<?php
require_once("system/config.php");
auth();

dbaccess();

$news = mysql_real_escape_string($_POST['news']);

if (isset($_GET['delete'])) {
if (!isset($_GET['confirm'])) {
echo "Are you sure you want to delete \"". ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\"". $_SERVER['REQUEST_URI'] ."&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>";
} else {
mysql_query("DELETE FROM news WHERE newsblurb = '". urlencode($_GET['delete']) ."' LIMIT 1");
header("Location: edit_news.php");
}
} elseif (isset($_POST['news'])) {
mysql_query("INSERT INTO news (newsblurb) VALUES ('".$news."') ");
header("Location: edit_news.php");
}
?>

poyzn
12-23-2010, 08:18 PM
may be the problem is in urlencode function
could you just print the string


echo "DELETE FROM news WHERE newsblurb = '". urlencode($_GET['delete']) ."' LIMIT 1";

and post it here

thilss0o
12-24-2010, 02:56 AM
oh no the urlencode was something i was trying. it wasn't working before or after i applied that

but ill print it anyway


----

didnt print anything

poyzn
12-24-2010, 08:13 AM
ok, then output next string and check if there delete parameter is passing in the url


echo "Are you sure you want to delete \"". ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\"". $_SERVER['REQUEST_URI'] ."&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>"

may be you should add it


echo "Are you sure you want to delete \"". ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\"". $_SERVER['REQUEST_URI'] ."?delete=y&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>"

MattF
12-24-2010, 11:05 AM
mysql_query("DELETE FROM news WHERE newsblurb = '". urlencode($_GET['delete']) ."' LIMIT 1");


Is $_GET['delete'] an id or a name? Btw, welcome to the fact that the query above is wide open for exploit. Escape the string if it's a string.

thilss0o
12-25-2010, 03:38 AM
well i know the deleting thing works overall, it just doesn't delete entries that have quotations in them.

and yes GET['delete'] is called from the previous page



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum