Can't sanitize user entered data

Question

I have a script that enables artists to edit their profile. One thing is proving to be a problem. I cannot how to sanitize what the user has entered. Everytime a ' is put in the data is not shown as it cuts the php short.

Here is my form for bio:

username = $_SESSION['username'];
    $pass = $_SESSION['password']; 
   include ("../database.php");
   $result = mysql_query("SELECT * FROM members WHERE username='$username' AND     password='$pass' AND artist='Y'");

while($row = mysql_fetch_array($result)){

       echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
       <textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
       <div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>

       </div>';

Here is the script that uploads to database;

$username = $_SESSION['username']; 
    $pass = $_SESSION['password'];

     $artistname = $_POST['artistname'];
     $bio = $_POST['bio'];




include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");

$artisturl = mysql_query("SELECT * FROM members  
WHERE username='$username' AND password='$pass'  AND artist='Y'");

while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php?    artist=".$row['artistname']."");}
}

}
else echo'<p1>You must be an artist to use these features.</p1>';

Yes, I am aware i need to upgrade to mysqli and I am aware I need to use prepared statements. Need to sort this out first though.

If you move to prepared statements then you won't _have_ to solve this kind of frustrating cruft... — sarnold, Jun 07 '12 at 00:40

score 0 · Answer 1 · answered Jun 07 '12 at 01:03

0

before entering anything to database, just call that:

mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);

answered Jun 07 '12 at 01:03

score 0 · Accepted Answer · answered Jun 07 '12 at 11:08

If you're going to be using user input in an SQL query, it needs to be sanitized. Here's a simple example.

$username = mysql_real_escape_string($_SESSION['username']); 
$pass = mysql_real_escape_string($_SESSION['password']);
$artistname = mysql_real_escape_string($_POST['artistname']);
$bio = mysql_real_escape_string($_POST['bio']);

include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");

Can't sanitize user entered data

2 Answers2