-1

Where can I place the addslashes or magicquotes coding that will allow punctuation to show up when users submit data to the website for the name and city fields?

if(isset($_POST['submit'])) {   
$name=$_POST["element_1"];
$xxx=$_POST["element_2_1"];
$xxxxx=$_POST["element_2_2"];
$xxxxx=$_POST["element_2_3"];
$xxxxx=$_POST["element_3_1"];
$xxxxxd=$_POST["element_3_2"];
$xxxxxx=$_POST["element_3_3"];
$xxxxx=$_POST["element_4_1"];
$xxxxx=$_POST["element_4_2"];
$city=$_POST["element_4_3"];
$xxx=$_POST["element_4_4"];
$xxp=$_POST["element_4_5"];
$desc=$_POST["element_5"];
//$file=$_FILES['element_6'];
$link=$_POST["element_7"];
$stdate=$stdatemm."-".$stdatedd."-".$stdateyy;
$endate=$endatemm."-".$endatedd."-".$endateyy;
$user=$_POST["postuser"];
user2512412
  • 61
  • 1
  • 6
  • use PDO to save your data to mysql - PDO does escaping for you. – michi Aug 16 '13 at 00:17
  • 1
    If you instead want to go the cumbersome route, add [`mysql_real_escape_string`](http://php.net/mysql_real_escape_string) around all string variables (instead of addslashes). See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174) for the easier approach. – mario Aug 16 '13 at 00:18
  • 2
    @user2512412: I assumed you wanted to save the user input to database, right? Here's a website for PDO: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers and remember, google is your friend ;-) – michi Aug 16 '13 at 00:20
  • 2
    As a pro tip: If you are currently learning from documentation or a tutorial which instructs you to use `addslashes()` or magic_quotes_gpc, _stop using it right now_ and find an up to date reference. Start with the SQL injection post linked by @mario. Methods like `addslashes()` fell out of favor many many years ago, and magic_quotes_gpc was deprecated 4+ years ago. – Michael Berkowski Aug 16 '13 at 00:20
  • And don't use dates in MM-DD-YY format. MySQL wants them in YYYY-MM-DD format. – Bill Karwin Aug 16 '13 at 00:21

1 Answers1

1

You need to escape the user-submitted content while saving it to the database.

// Your var with `"/'` chars
$name=$_POST["element_1"];

// Escape it for database storage
$name_escaped = mysql_real_escape_string($name);

// Use the escaped version in your query
mysql_query("INSERT INTO table (column) VALUES ('" . $name_escaped . "')");

Note: The mysql_real_escape_string() function must be called after you have init the MySQL connection, but before you execute your MySQL query.

Note: This way of executing MySQL queries is deprecated as of PHP 5.5, therefore you should use the Mysqli or PDO methods.

In any case, when retrieving the content from the database it shouldn't be escaped, therefor if you want to display it on an HTML page make sure to use htmlspecialchars() so chars like "<" don't break the HTML:

<html>
<body>
    <div>
        <?php echo htmlspecialchars($name_fromDB); ?>
    </div>
</body>
</html>
Community
  • 4,922
  • 7
  • 25
  • 37