Apostrophe problems (user input rejected)

Discussion in 'Databases' started by snoopgst, Mar 12, 2007.

0
  1. #1
    I am using the following code to allow users to input a description into the database but if there are any apostrophe's in the text it will reject it.

    How do I fix this problem?

    Thanks

    }
    elseif($_REQUEST[field_myvideo_descr]==""){
    $err="Upload: Please Provide a video description.";
     
    snoopgst, Mar 12, 2007 IP
  2. JenniP

    JenniP Peon

    Messages:
    250
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Where is it being rejected? If its the database saying no its because a single quote is normally a text delimiter

    IE

    UPDATE Users SET LastName = 'O'Brien' WHERE ID = 12345

    The part in red will cause an error because the single quote in O'Brien will make your SQL engine think the text ends there, it will then continue to parse the string and see Brien' which it will see as an error because there is no SQL command called Brien'.

    UPDATE Users SET LastName = 'O''Brien' WHERE ID = 12345

    If you did the above, it should accept it, note the '' above is two single quotes not one double quote, and SQL will take the two single quotes and store one single quote in the database.

    So how do you get round this problem, anywhere you take input from a user, replace any single quotes, with two single quotes, I dont know the best way to do it from PHP but a quick Google should find you an answer but I think str_replace will work for you.

    Not only will this allow SQL to accept your input, but it will also help protect against SQL injection. At the moment your code will allow a hacker to run their own SQL commands which could allow them to steal or alter your data delete databases and generally cause havoc, its fairly complicated to explain so I suggest you google it.
     
    JenniP, Mar 13, 2007 IP
  3. spachev

    spachev Peon

    Messages:
    42
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I always turn off the magic quotes in php.ini, and validate the input myself. It is a good idea to always validate the input. Assume the user can be malicious.
     
    spachev, Mar 13, 2007 IP
  4. teknoledge

    teknoledge Active Member

    Messages:
    408
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    88
    #4
    $input = htmlspecialchars($_REQUEST[field_myvideo_descr], ENT_QUOTES);

    http://www.php.net/htmlspecialchars
     
    teknoledge, Mar 14, 2007 IP
  5. saidev

    saidev Well-Known Member

    Messages:
    328
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    140
    #5
    lookup addslashes() and stripslashes()
     
    saidev, Mar 15, 2007 IP
  6. voodoo709

    voodoo709 Member

    Messages:
    69
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    48
    #6
    voodoo709, Mar 15, 2007 IP
  7. Houdas

    Houdas Well-Known Member

    Messages:
    158
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    101
    #7
    I am using following code to store strings into DB:

    
  function esc($string)
  {
    if (get_magic_quotes_gpc()) {
      return $string;
    } else {
      return mysql_real_escape_string($string);
    }
  }
    PHP:
     
    Houdas, Mar 21, 2007 IP
  8. itrana123

    itrana123 Peon

    Messages:
    177
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Use str_replace() to fix this problem... try this it will replace all apostrophe's to a specific character whatever you like to use.
     
    itrana123, Mar 21, 2007 IP