0

I have a form in which i add an "attraction" to my sql database. my problem is that the input area is not tolerant of apostrophes. since this form is in hebrew, apostophes are very important since they are used a lot!!

EDIT - This is my revised code after viewing the pages you refered me to:

$query1=$conn->prepare("INSERT INTO guide(Name,Country,Attraction,Email,Phone,Picture) VALUES(:name,:country,:attraction,:email,:phone,:picture) ");
$query1->bindValue(':name', $name);
$query1->bindValue(':country', $country);
$query1->bindValue(':attraction', $attraction);
$query1->bindValue(':email', $email);
$query1->bindValue(':phone', $phone);
$query1->bindValue(':picture', $picture);
$query1->execute();
$result=mysqli_query($conn,$query1);

EDIT2 - Also tried:

$query1=$conn->prepare("INSERT INTO guide (Name,Country,Attraction,Email,Phone) VALUES (?,?,?,?,?) ");
$query1->bind_param("sssss", $name, $country, $attraction, $phone ,$email);
$query1->execute();
$result=mysqli_query($conn,$query1);
if($result){
header("Location:add_review.php");


}
else{
echo " ERROR MESSAGE ";

}
}

Edit 3 Solved -- What i needed was very simple.. this was my solution:

$name = str_replace("'","''",$name);
Ziv Oriol
  • 5
  • 1
  • 6
  • This is an issue usually referred to as "sql injection attack vulnerability". You take the user submitted input and blindly inject it into your sql statements by means of string concatenation. However in such statements some characters have special meaning. You have to "escape" such characters to get the in a literal sense. Without that "escaping" the client site can trick your mysql server into executing arbitrary commands on your system! Please take a look at the advantages of "prepared statements" in combination with "parameter binding" that the `mysqli` extension offers. – arkascha Oct 06 '16 at 08:25
  • I am not a programmer, this from was made for me, and the programmer didnt know how to solve this problem. any chance you can elaborate and make it simpler for me to understand? – Ziv Oriol Oct 06 '16 at 08:30
  • 3
    There are many many questions here on SO asking _exactly_ what you ask. Just take a look at one of the answers to those questions. Maybe that one: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php Also take a look at the right hand side in this view. There is a section "Related"... – arkascha Oct 06 '16 at 08:32
  • 1
    Besides: a programmer implementing a web application accepting client side input fed into a database, and that programmer "didnt know how to solve this problem"? I suggest that programmer stops programming until he has learned that lesson. This is not only important, but _critical_. – arkascha Oct 06 '16 at 08:33
  • Looks like there were quite a few things your developer did not understand about HTML/PHP/etc – RiggsFolly Oct 06 '16 at 08:44
  • Guys my programmer wont reply to me. I am desperate for help.. please can anyone explain this simply to me? – Ziv Oriol Oct 28 '16 at 17:33
  • @ZivOriol - I can try to help but I'm not sure exactly what you are asking. Is the problem with what your web form is delivering to PHP via $_POST (ie. is what is being placed into $attraction not what you are expecting); or is it with the SQL database insert you are showing above? – Pancho Oct 28 '16 at 20:22
  • @Pancho Thanks For the reply! I am not sure where the problem is, maybe you can help me figure that out: I have input field named - "attraction", which is a free input field for the user to write what ever they want. If the user will use an apostraphe (') i will get an error and his input will not be reciever. So is my problem in the Post_['attraction'] area? Or the input to the database? **I note again that i have little programming experience, and just trying to understand how to fix this.. – Ziv Oriol Oct 28 '16 at 20:42
  • @RyanVincent What does it mean to validate it input form? This is my HTML code for the input area: This is the php code: $name = $_POST["Name"]; So how would i validate the input? – Ziv Oriol Oct 28 '16 at 20:54
  • @ZivOriol - ok thanks - 1 of your $_POST fields is being used to populate $attraction. Please enter very short simple illustrative text into your form then print the resulting value in $attraction (this will help illustrate the problem you are seeing) – Pancho Oct 28 '16 at 20:58
  • @RyanVincent Thanks but i am pretty sure that in a 5 min chat we can solve this!(unfortunately a local experienced programmer will cost me a lot...) – Ziv Oriol Oct 28 '16 at 20:59
  • @ZivOriol - also, if you are unsure I recommend checking that your page is UTF8 encoded - ie. does it have a statement something like this "" in the section f the page – Pancho Oct 28 '16 at 21:03
  • @Pancho It does not have the UTF8 meta tag. The problem with the short illustrative text is that if i insert a ' charachter i get an eror message.Look in the second edit - this is the error msg i get – Ziv Oriol Oct 28 '16 at 21:06
  • @ZivOriol - can you please paste the exact error message you are being shown – Pancho Oct 28 '16 at 21:10
  • @ZivOriol - ok I guess from your latest edit, you must be seeing " ERROR MESSAGE ". If I'm understanding correctly then the error is occurring on insert into the database and has no relevance to the web aspect at all – Pancho Oct 28 '16 at 21:12
  • @ZivOriol - when building strings for insertion into the database (which as discussed above is a problematic way of doing things) then the ' character can cause issues as it is a string delimiter. However using bind variables (recommended approach) as you are showing in your edits above should remove this problem entirely as the database should treat the entire bind variable as a string including any single quotes it contains. As this doesn't seem to be working for you, the only thing I can suggest is to escape the single quotes as follows: http://stackoverflow.com/a/9596685/3051627 – Pancho Oct 28 '16 at 21:20
  • @ZivOriol - 2 last things: a. I am not a mySQL expert and I don't know exactly what errors it returns but the condition you have in the statement above will mask any native error being returned from mySQL - so you may want to investigate trapping the mySQL error and displaying that; and b. if security is a consideration for you then I strongly recommend taking Ryan Vincent's advice and getting an experienced developer to look at your code in more detail as malicious attackers can cause havoc / obtain information if your user input data cleansing is not up to scratch – Pancho Oct 28 '16 at 21:26
  • @Pancho THANKS For all the help! I will make a little trial and error and hopefully solve this..... – Ziv Oriol Oct 28 '16 at 21:28
  • @ZivOriol - no worries, I'm sure you will :) . One request is that when you do, please do put your solution here so that others can learn and grow! good luck – Pancho Oct 28 '16 at 21:31
  • @Pancho you led me to the solution -- Thanks!! *I know it is not safe from injections, but this is what i needed.. – Ziv Oriol Oct 28 '16 at 22:22
  • @ZivOriol - great, I'm pleased I could help. Please could you mark whichever comment helped most as "adds something useful" (by floating your mouse to the left of the comment and clicking the up arrow) it will then potentially be of help to others also. – Pancho Oct 28 '16 at 22:27

0 Answers0