Hey, I recently bought a PHP script. It has a form you can use to submit software descriptions but when you submit some of the data is not stored. I think it's when you use quotes, i.e. '. For example when I enter this: "A very nice little counter script! Its very customisable you can have 12 different graphic styles or just text.. If there is a part of it you don't want to use you can just switch if etc..." It only stores this "A very nice little counter script! Its very customisable you can have 12 different graphic styles or just text.. If there is a part of it you don\" Does someone know how to solve this? Thanks, Hodge
They need to add addslashes around the data before saving it. However I'd send it back and ask for a refund. If they've stuffed up on something as simple as this then the site will be very hackable and subject to both sql and mail injections.
Well I bought the script for $2 so I can't really complain Anyway what do you mean addslashes? You mean the backslash \ before the '? I'd like to solve this problem myself as it'll be a good opportunity to improve my PHP a little bit.
Ok that's the problem I suspected it to be. The only thing is if it was missing the backslashes before the ' how come there's one in the database before it cuts off? Does that '\' always appear if you don't add backslashes before 's?
simple - just open all php files and for each variable that gets sent to the database, add the mysql_real_escape_string function... e.g. mysql_real_escape_string($field); you may want to create a function that checks if magic quotes are on for your php setup... you then want to add an if clause... e.g. if magic quotes is on return the variable unchanged else return the variable with mysql_real_escape_string applied...
So if I have a variable I'm going to insert into the database do I do: if (!get_magic_quotes_gpc()){ $variableName = mysql_real_escape_string ($variableNam); } Then insert it into the database?