Thread: How can I delimit all input from a form
View Single Post
Old 02-03-2013, 12:08 PM   PM User | #10
countrydj
Regular Coder

 
Join Date: Nov 2011
Location: Preston, UK
Posts: 130
Thanks: 36
Thanked 0 Times in 0 Posts
countrydj is an unknown quantity at this point
Hi Fou-Lu ...

First of all, let me thank you for staying with me in solving my problem.
Secondly, I have changed $_REQUEST to $_POST. I changed all my $_POST and $_GET to $_REQUEST some years ago when it seemed to be 'flavour of the month'.
Thirdly, I have now changed from mysql to mysqli.
All this is because of your advice. THANK YOU !!!

Now to my problem:

The problem is that "It's" needs to be "It\'s" in order to input into the database, otherwise it throws a wobbly:
Quote:
error:1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's New Club','','','','','','','','','nc111','','#99ff99','light_brown.jpg','#ff9' at line 1
This is because I have John's in one of the fields.
You then suggested that I include some code into the script:
PHP Code:
if($action=="add"){

//#################################################################

if (get_magic_quotes_gpc())
{
    $_POST array_map('stripslashes'$_POST);


//#####################################################################
    $qry "INSERT INTO " $vars["table directory"] . " "
and I got the same error message.

I then changed it to:
PHP Code:
if($action=="add"){

//#################################################################

// Take care of magic_quotes_gpc if its enabled (ini per-dir only, so cannot disable at runtime)
if (get_magic_quotes_gpc())
{
    $_POST array_map('stripslashes'$_POST); // or list each individually or write a recursive function as well ($_FILES is handled *slightly* differently for example)
}  
// Stop external resource from escaping:
ini_set('magic_quotes_runtime'0); // ini all.  

//#####################################################################
    $qry "INSERT INTO " $vars["table directory"] . " "
and I still get the same error.

I then edited my php.ini file:
Code:
;##################################
magic_quotes_gpc = On
;###################################
Restarted apache, and it worked. No error and data entered into database.

I then asked you if my php.ini file was OK:
Code:
;###############################
 magic_quotes_gpc
   Default Value: On
   Development Value: Off
   Production Value: Off
;###############################

;##################################
magic_quotes_gpc = On
;###################################

;#####################################
magic_quotes_runtime = Off       
;#####################################

;###################################
magic_quotes_sybase = Off 
;#####################################
You answered me:
Quote:
I'd also shut down the magic_quotes_gpc.
The idea behind these directives was to help secure against sql injection attacks. But the actual methods used by the dbms' are not aware of these directives, so escaping them would result in double escaping. They carry little other value.
Which I did and was back to my original problem.

The only way I can get my script to work is to have my php.ini file:
Code:
;##################################
magic_quotes_gpc = On
;###################################
Should this be ON of OFF ???

Many thanks for taking the time to help me.

I NEED IT !!!
__________________
The MAN, The MYTH, The LEGEND:
John C
________________________________
Support your local Country Music Club
countrydj is offline   Reply With Quote