Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts

    Macintosh Add/Remove Slashes (SQL query)

    Well, this is kind of a follow up on the SQL injection questions I've been having. I guess I haven't fully grasped it. I have taken every piece of advice, tweeked it just a tiny bit and interjected it but to no avail .

    Here's ALL of my codes, how they should work, how they work in conjunction with each other, a live demo, etc....

    PHP Code:
    <?php 
    include("/home/deacon/public_html/critical/includes/profilesconn.php");  

    $id mysql_real_escape_string($_GET['id']);

    $sql sprintf("SELECT `ID`,`Name`,`Rank`,`Picture`,`1`,`2`,`3`,`4`,`5`,`About`,`Interests`,`Services`,`Portfolio` FROM `profile` WHERE `ID` = '".$id."'"); 
    $result mysql_query$sql ) or die('The error was: ' mysql_error() . '<br />The query was: ' $sql); 
    $num mysql_num_rows($result);
    $row mysql_fetch_assoc($result);
    {
            
    $id $row['ID']; 
            
    $name $row['Name']; 
            
    $rank $row['Rank'];
            
    $face $row['Picture'];
            
    $_1 $row['1']; 
            
    $_2 $row['2']; 
            
    $_3 $row['3'];
            
    $_4 $row['4']; 
            
    $_5 $row['5']; 
            
    $about $row['About']; 
            
    $interests $row['Interests']; 
            
    $services $row['Services'];
            
    $portfolio $row['Portfolio']; 

            
    html_entity_decode('$_1'); 
            
    html_entity_decode('$_2');
            
    html_entity_decode('$_3'); 
            
    html_entity_decode('$_4'); 
            
    html_entity_decode('$_5'); 
            
    html_entity_decode('$rank');
            
    html_entity_decode('$face');
            
    html_entity_decode('$about');
            
    html_entity_decode('$interests'); 
            
    html_entity_decode('$services');
            
    html_entity_decode('$portfolio');

    }

    if(!
    $id || $id <= 0)
    {
    echo(
    "Do not attempt that. Please click <a href='http://www.chrysys.net/portfolios.php'>here</a>.");
    }
    ?>
    PHP Code:
    <?php 
    include("portfolioscheck.php"); 

    if(!
    $id)
    die(); 
    ?>

                     

    <a href="http://www.chrysys.net/update.php?id=<? echo $id?>"><h1>Edit Profile</h1></a>

    <table width="75%">
    <tr>
    <td>
    <a href="http://www.chrysys.net"><img src="<? echo $face ?>" alt="Find All of <? echo $name ?>'s Work" width="150" height="200" align="left" /></a>
    <h1><? echo $name ?></h1>
    <h2><? echo $rank?></h2>
    <hr>
    <center><h2>Best Top 5</h2>
    <ol>
    <li><span><? echo $_1?></span></li>
    <li><span><? echo $_2?></span></li>
    <li><span><? echo $_3?></span></li>
    <li><span><? echo $_4?></span></li>
    <li><span><? echo $_5?></span></li>
    </ol>
    </center>
    </td>
    </tr>
    </table>

    <table width="75%">
    <tr>
    <td align>
    <h2>About Me</h2>
    <?php echo nl2br($about); ?>
    </td>
    </tr>
    </table>

    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Interests</h2>
    <?php echo nl2br($interests); ?>
    </td>
    </tr>
    </table>


    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Services</h2>
    <?php echo nl2br($services); ?>
    </td>
    </tr>
    </table>


    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Portfolio</h2>
    <?php echo nl2br($portfolio); ?>
    </td>
    </tr>
    </table>
    PHP Code:
    <?php 
    include("/home/deacon/public_html/critical/includes/header.php"); 
    include(
    "/home/deacon/public_html/portfolioscheck.php");

    if(!
    $id)
    die();
    ?> 

    <body> 

    <div class="left"> 
       
        <ul> 
        <li><a href="index.php">Home</a></li> 
        <li class="active"><a href="portfolio.php">Portfolio</a></li> 
        <li><a href="services.php">Services</a></li> 
        <li><a href="contact.php">Contact</a></li> 
        </ul> 
         
    </div> 

    <div class="right"> 


    <div class="content"> 

    <table width="75%">
    <tr>
    <td>
    <h2>Current Image:</h2>
    <tr>
    <td>
    <form action="http://www.chrysys.net/confirmupdate.php?id=<? echo $id?>" method="post">
    <input type="text" size="22" name="newimage" maxlength="255" value="<? echo $face ?>" />
    <tr><td>
    <img src="<? echo $face ?>" width="150" height="200" align="left" />
    </td>
    </tr>
    </table>


    <table width="75%">
    <tr>
    <td>
    <h2>About Me</h2>
    <form action="http://www.chrysys.net/confirmupdate.php?id=<? echo $id?>" method="post">
    <textarea name="about" maxlength="1000" rows="10" cols="50">
    <? echo $about?>
    </textarea>
    </td>
    </tr>
    </table>

    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Interests</h2>
    <form action="http://www.chrysys.net/confirmupdate.php?id=<? echo $id?>" method="post">
    <textarea name="interests" maxlength="1000" rows="10" cols="50">
    <?php echo $interests?>
    </textarea>
    </td>
    </tr>
    </table>


    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Services</h2>
    <form action="http://www.chrysys.net/confirmupdate.php?id=<? echo $id?>" method="post">
    <textarea name="services" maxlength="1000" rows="10" cols="50">
    <?php echo $services?>
    </textarea>
    </td>
    </tr>
    </table>


    <br /><br />

    <table width="75%">
    <tr>
    <td>
    <h2>My Portfolio</h2>
    <form action="http://www.chrysys.net/confirmupdate.php?id=<? echo $id?>" method="post">
    <textarea name="portfolio" maxlength="1000" rows="10" cols="50">
    <?php echo $portfolio?>
    </textarea>
    </td>
    </tr>
    </table>
    <input type="submit" value="Update Profile" />
    </form>
    <? include("/home/deacon/public_html/critical/includes/footer.php"); ?>
    PHP Code:
    <?php 
    include("/home/deacon/public_html/critical/includes/header.php"); 
    include(
    "/home/deacon/public_html/critical/includes/profilesconn.php");
    include(
    "/home/deacon/public_html/portfolioscheck.php");


    $id htmlentities(mysql_real_escape_string($_GET['id']), ENT_QUOTES);
    $newimage htmlentities(mysql_real_escape_string($_POST['newimage']), ENT_QUOTES);
    $about htmlentities(mysql_real_escape_string($_POST['about']), ENT_QUOTES);
    $interests htmlentities(mysql_real_escape_string($_POST['interests']), ENT_QUOTES);
    $services htmlentities(mysql_real_escape_string($_POST['services']), ENT_QUOTES);
    $portfolio htmlentities(mysql_real_escape_string($_POST['portfolio']), ENT_QUOTES);



    if(
    $newimage == '')
    {
    $newimage "http://www.chrysys.net/critical/images/face.jpg";
    }

    $query "UPDATE `deacon_profiles`.`profile` SET `Picture` ='$newimage', `About` ='$about', `Interests` ='$interests', `Services` = '$services', `Portfolio` = '$portfolio' WHERE `profile`.`ID` = '$id' LIMIT 1";

    $update $query;
    $update1 addcslashes($update"/r/n")

    ?> 

    <body> 

    <div class="left"> 
       
        <ul> 
        <li><a href="index.php">Home</a></li> 
        <li class="active"><a href="portfolio.php">Portfolio</a></li> 
        <li><a href="services.php">Services</a></li> 
        <li><a href="contact.php">Contact</a></li> 
        </ul> 
         
    </div> 

    <div class="right"> 


    <div class="content"> 
    <?php



    if(!$id)
     {
    die (
    "Do not try that! Please follow the procedure to properly edit your profile. If you feel you have found this page in error, please let us know using the contact form.");
     }

    if(
    $update)
    {
    mysql_query$update1 );
    echo 
    "You have edited your profile. <br /> Return to your <a href='http://www.chrysys.net/portfolios.php?id=".$id."'>profile</a>.";
    }




    ?>

    <? include("/home/deacon/public_html/critical/includes/footer.php"); ?>


    What they do is:

    Number 1 just gets all the data, decodes it for use, etc. Number 2 is the actual profile page. It contains all the information taken from the database, and displays it. Number 3 is the user editable forms in which the person can change almost whatever they wish. Number 4 is the page that inserts it into the database, strips all slashes (Should), prevents SQL injection, confirms, then updates.

    The thing I need to do, that it isn't doing... I need to have the ability to have new lines in the fields, however, I can't have slashes displayed otherwise it'd work fine. Sure, slashes can be shown if they are added by the user, but I don't want those annoying "/'" to show up. Which is strip slashes, however, I cannot strip slashes because I need new lines.


    It's very confusing at the moment :S.

    So how would I go about doing this. I've provided you with the codes, if you take snippets, and just show me parts then explain the rest I'll try and figure it out! Thanks for any help!

    EDIT: Live demo can be found here: http://www.chrysys.net/portfolios.php?id=1

    (The apple icon is because it doesn't JUST work.)
    Last edited by Deacon Frost; 03-28-2008 at 05:34 AM.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Sounds like magic_quotes_gpc is turned on. This needs to be turned off to prevent the data from being escaped twice. When the data comes back from the database the slashes won't be there.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    Deacon Frost (04-07-2008)

  • #3
    Regular Coder
    Join Date
    Feb 2007
    Location
    Canada
    Posts
    924
    Thanks
    10
    Thanked 56 Times in 55 Posts
    Code:
    // Create a function for escaping the data.
    function escape_data ($data) {
    	
    	// Address Magic Quotes.
    	if (ini_get('magic_quotes_gpc')) {
    		$data = stripslashes($data);
    	}
    	
    	// Check for mysql_real_escape_string() support.
    	if (function_exists('mysql_real_escape_string')) {
    		global $dbc; // Need the connection.
    		$data = mysql_real_escape_string (trim($data), $dbc);
    	} else {
    		$data = mysql_escape_string (trim($data));
    	}
    
    	// Return the escaped value.	
    	return $data;
    
    } // End of function.
    use it in your Data vaidation prior to entering the data into the DB, like so:
    Code:
    	// Check for a first name.
    	if (empty($_POST['first_name'])) {
    		$errors[] = 'You forgot to enter your first name.';
    	} else {
    		$fn = escape_data($_POST['first_name']);
    	}
    Last edited by jlhaslip; 03-28-2008 at 07:04 AM.

  • Users who have thanked jlhaslip for this post:

    Deacon Frost (04-07-2008)

  • #4
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts
    THANK YOU!


    Sorry I took so long to respond. I haven't had time to work on the site at all XD! You really helped, thanks, a lot!

    Now I can move on to learning files and such XD!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •