Preparing HTML Form Input for SQL Database using PHP

Question

I'm currently testing a html form which sends the data through php to the sql database. The problem I'm facing is special characters break the form and don't update the database. I haven't tested all the special characters but mainly ` and ' are the culprits. I've tried mysql_escape_string, preg_replace and add_slashes with no success. What am I missing?

$description = preg_replace('/[^A-Za-z0-9\ %&$=+*?()!.-]/', ' ', $_POST['description']);
$description = preg_replace("/[\n\r]/"," ",$description);

// Items Insert
foreach ($item as $index=>$value) {
$sqlItems .= "
    INSERT INTO quote_items (quote_id, item, description, amount, gst)
    VALUES ('$last_id', '$item[$index]', '$description[$index]', '$amount[$index]', '$gst[$index]');
";
}

Thanks in advance!

Mate, always include code and results in your question! This way we can't guess which code your using. — Benjamin de Bos, Oct 18 '16 at 21:58
Sorry I'll add it now, I was assuming there was a standard php function I was missing. — SEOEGC, Oct 18 '16 at 22:03

score 0 · Answer 1 · answered Oct 18 '16 at 21:57

0

Can you post you DB call? Those two characters in particular look like they would conflict in a DB call.

The ` is usually wrapped a table or column name and the ' is usually wrapped around values.

Both of these would cause a problem but without code its hard to say

answered Oct 18 '16 at 21:57

Xanfar

124
6

Hi DevFX, I've edited now. I assumed there was a php function that was standard. Thanks. – SEOEGC Oct 18 '16 at 22:31
ok first the single quote ' in your values will break because it becomes the end quote for each value and your DB call becomes jumbled – Xanfar Oct 18 '16 at 22:38

Xanfar · Accepted Answer · 2016-10-18T23:00:52.423

0

you can try this (a little dirty) but it should allow those 2 characters to be saved

$sqlItems .= '
    INSERT INTO `quote_items` (quote_id, item, description, amount, gst)
    VALUES ("'.$last_id.'", "'.$item[$index].'", "'.$description[$index].'", "'.$amount[$index].'", "'.$gst[$index].'");
';

EDIT: sorry had the quotes reversed

edited Oct 18 '16 at 23:00

answered Oct 18 '16 at 22:46

Xanfar

124
6

Hi DevFx, Thank you, that's worked for those two characters. What exactly does that do and why is it dirty? I can now use '`-={}|[]\:";'<>?,./ symbols without the form breaking. I've tested the form with random combinations of symbols. I can't see a pattern as to why the form is breaking on some symbols and not others. f~ saves f~! saves f~!@ saves f~!@# does not save f~!@#$ does not save f~!@#$% does not save ##asdf#asdf saves @#$ saves – SEOEGC Oct 18 '16 at 23:20
Hi Azyrus I only call it dirty because i would prefer PDO or some type of framework. Please refer to php.net [HERE](http://php.net/manual/en/pdo.prepared-statements.php). – Xanfar Oct 19 '16 at 00:53

Preparing HTML Form Input for SQL Database using PHP

2 Answers2