Hi Guys, Is there a PHP function which will handle single quotes and new line characters properly, as well as keeping it SQL injection safe. You can see the problem here http://facebookbay.com/start.php You should see \\\ before ' and also rn whereever someone pressed enter in the input fields. The insert code looks like the following: $description = mysql_real_escape_string(htmlspecialchars($_POST['description'])); $title = mysql_real_escape_string(htmlspecialchars($_POST['title'])); $group = $_POST['group']; $submit = mysql_query("INSERT INTO groups SET title='".stripslashes($title)."',description='".stripslashes($description)."'"); Code (markup): Thanks in advance, DaFiz
Okay, first of all you're doing something wrong. Using mysql_real_escape_string() will add backslashes to all quotes in order to prevent MySQL injection attempts. Using stripslashes() removes the exact backslashes that mysql_real_escape_string() added. So basically you're countering your security. What you want to do is use stripslashes() after you pull the information from the database that way any backslashes that may be in the data get removed.
Similar method. When received a form data 1. discard extra slashes by checking if they are added by php or not #our custom function to do this job, find function below filter_array($_POST); Code (markup): 2. add additional slashes to make certian string compatible with mysql when inserting $_POST['title'] = addslashes($_POST['title']); Code (markup): function filter_array(&$arr) { if(get_magic_quotes_gpc()) foreach($arr as $k => $v) $arr[$k] = stripslashes($v); } Code (markup): The thing I wanted to suggest was, do not save string after encoding special characters using 'htmlspecialchars' function. Encode them when you display the post or title whatever. Becuase if there is possibility of editting a user might add more html special characters like " < > ' & etc, and when you re-pass it to same function before saving, the post will be come a mess as well as increase in size each time. So better is keep as it is, and use htmlspecialchars when displaying. I hope it helps. regards
Thank you all for your assistance. I now have it working I ended up swapping the htmlspecialchars() function for the stripslashes() function, and removed the stripslashes() function from the insert string. clarky_y2k3: I will note that function for later, for this particular case I dont want the submitter to be able to overinflate their listing by adding a heap of new lines anyway. The above fix stopped the rnrn from appearing now so everything is good now. Cheers, DaFiz