Single Quotes in Form Inputs

------=_NextPart_000_0097_01CA0EA5.E7CE2540
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,



I have a form in which my sales reps can add new clients into the database,
but I'm running into a problem if the client's name includes a single quote,
such as O'Henry, when it comes time to input the form data into the database
table. I'm guessing I need to use ereg_replace, or something similar, to
change the single quote, but I still can't seem to get the syntax right.
Any help would be appreciated. For what it's worth, here is a shortened
version of what I have:



$ firstName = "$_POST[form_firstName]";

$ lastname = "$_POST[form_lastName]";



$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");



Ben Miller




------=_NextPart_000_0097_01CA0EA5.E7CE2540--

Re: Single Quotes in Form Inputs

You need to sanitize and escape the input before inserting it into
the db. You can use http://us.php.net/mysql_real_escape_string to
escape the input.

On Jul 27, 2009, at 09:35, Ben Miller wrote:

> Hi,
>
>
>
> I have a form in which my sales reps can add new clients into the
> database,
> but I'm running into a problem if the client's name includes a
> single quote,
> such as O'Henry, when it comes time to input the form data into the
> database
> table. I'm guessing I need to use ereg_replace, or something
> similar, to
> change the single quote, but I still can't seem to get the syntax
> right.
> Any help would be appreciated. For what it's worth, here is a
> shortened
> version of what I have:
>
>
>
> $ firstName = "$_POST[form_firstName]";
>
> $ lastname = "$_POST[form_lastName]";
>
>
>
> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
> VALUES ('$firstName','$lastName')");
>
>
>
> Ben Miller
>
>
>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda wrote:
> You need to sanitize and escape the input before inserting it into the db=
..
> =A0You can use http://us.php.net/mysql_real_escape_string to escape the i=
nput.
>
> On Jul 27, 2009, at 09:35, Ben Miller wrote:
>
>> Hi,
>>
>>
>>
>> I have a form in which my sales reps can add new clients into the
>> database,
>> but I'm running into a problem if the client's name includes a single
>> quote,
>> such as O'Henry, when it comes time to input the form data into the
>> database
>> table. =A0I'm guessing I need to use ereg_replace, or something similar,=
to
>> change the single quote, but I still can't seem to get the syntax right.
>> Any help would be appreciated. =A0For what it's worth, here is a shorten=
ed
>> version of what I have:
>>
>>
>>
>> $ firstName =3D "$_POST[form_firstName]";
>>
>> $ lastname =3D "$_POST[form_lastName]";
>>
>>
>>
>> $query =3D mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
>> VALUES ('$firstName','$lastName')");
>>
>>
>>
>> Ben Miller
>>
>>
>>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

I like to use http://ca3.php.net/manual/en/function.htmlentities.php

--=20

Bastien

Cat, the other other white meat

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

Bastien Koert wrote:
> On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda wrote:
>> You need to sanitize and escape the input before inserting it into the db.
>> You can use http://us.php.net/mysql_real_escape_string to escape the input.
>>
>> On Jul 27, 2009, at 09:35, Ben Miller wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> I have a form in which my sales reps can add new clients into the
>>> database,
>>> but I'm running into a problem if the client's name includes a single
>>> quote,
>>> such as O'Henry, when it comes time to input the form data into the
>>> database
>>> table. I'm guessing I need to use ereg_replace, or something similar, to
>>> change the single quote, but I still can't seem to get the syntax right.
>>> Any help would be appreciated. For what it's worth, here is a shortened
>>> version of what I have:
>>>
>>>
>>>
>>> $ firstName = "$_POST[form_firstName]";
>>>
>>> $ lastname = "$_POST[form_lastName]";
>>>
>>>
>>>
>>> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
>>> VALUES ('$firstName','$lastName')");
>>>
>>>
>>>
>>> Ben Miller
>>>
>>>
>>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> I like to use http://ca3.php.net/manual/en/function.htmlentities.php
>

htmlentities should not be used on the data before it goes into the
database. If used it should be used on data coming out of the database.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

Michael A. Peters wrote:
> Bastien Koert wrote:
>> On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda
>> wrote:
>>> You need to sanitize and escape the input before inserting it into
>>> the db.
>>> You can use http://us.php.net/mysql_real_escape_string to escape the
>>> input.
>>>
>>> On Jul 27, 2009, at 09:35, Ben Miller wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> I have a form in which my sales reps can add new clients into the
>>>> database,
>>>> but I'm running into a problem if the client's name includes a single
>>>> quote,
>>>> such as O'Henry, when it comes time to input the form data into the
>>>> database
>>>> table. I'm guessing I need to use ereg_replace, or something
>>>> similar, to
>>>> change the single quote, but I still can't seem to get the syntax
>>>> right.
>>>> Any help would be appreciated. For what it's worth, here is a
>>>> shortened
>>>> version of what I have:
>>>>
>>>>
>>>>
>>>> $ firstName = "$_POST[form_firstName]";
>>>>
>>>> $ lastname = "$_POST[form_lastName]";
>>>>
>>>>
>>>>
>>>> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
>>>> VALUES ('$firstName','$lastName')");
>>>>
>>>>
>>>>
>>>> Ben Miller
>>>>
>>>>
>>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>> I like to use http://ca3.php.net/manual/en/function.htmlentities.php
>>
>
> htmlentities should not be used on the data before it goes into the
> database. If used it should be used on data coming out of the database.
>

To summarize:

You should prep your data for insertion into the data by using a tool
that formats it strictly for the database. In the ops case
mysql_real_escape_string() is the correct tool for the job.

htmlentities() is a presentation sanitizing/cleaning tool. But, it
should only be used for output to the browser, etc... Same thing with
htmlspecialchars() and all other related function.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Single Quotes in Form Inputs

--_6b999360-11d0-4af3-94cb-0221160e54fa_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


I think mysql_real_escape_string() is work well=2C but if you are use mysq=
l db=2C if you are using another db=2C the best function is addslashes but =
for another special charactes you will need treat them with another ways

Yuri Yarlei.
Programmer PHP=2C CSS=2C Java=2C PostregreSQL=3B
Today PHP=2C tomorrow Java=2C after the world.
Kyou wa PHP=2C ashita wa Java=2C sono ato sekai desu.


=20
> Date: Mon=2C 27 Jul 2009 11:10:08 -0700
> From: lists@cmsws.com
> To: mpeters@mac.com
> CC: phpster@gmail.com=3B mbmasuda@stanford.edu=3B biprellim@gmail.com=3B =
php-general@lists.php.net
> Subject: Re: [PHP] Single Quotes in Form Inputs
>=20
> Michael A. Peters wrote:
> > Bastien Koert wrote:
> >> On Mon=2C Jul 27=2C 2009 at 12:41 PM=2C Mari Masuda edu>
> >> wrote:
> >>> You need to sanitize and escape the input before inserting it into
> >>> the db.
> >>> You can use http://us.php.net/mysql_real_escape_string to escape the
> >>> input.
> >>>
> >>> On Jul 27=2C 2009=2C at 09:35=2C Ben Miller wrote:
> >>>
> >>>> Hi=2C
> >>>>
> >>>>
> >>>>
> >>>> I have a form in which my sales reps can add new clients into the
> >>>> database=2C
> >>>> but I'm running into a problem if the client's name includes a singl=
e
> >>>> quote=2C
> >>>> such as O'Henry=2C when it comes time to input the form data into th=
e
> >>>> database
> >>>> table. I'm guessing I need to use ereg_replace=2C or something
> >>>> similar=2C to
> >>>> change the single quote=2C but I still can't seem to get the syntax
> >>>> right.
> >>>> Any help would be appreciated. For what it's worth=2C here is a
> >>>> shortened
> >>>> version of what I have:
> >>>>
> >>>>
> >>>>
> >>>> $ firstName =3D "$_POST[form_firstName]"=3B
> >>>>
> >>>> $ lastname =3D "$_POST[form_lastName]"=3B
> >>>>
> >>>>
> >>>>
> >>>> $query =3D mysql_query("INSERT INTO customers (`cust_first`=2C`cust_=
last`)
> >>>> VALUES ('$firstName'=2C'$lastName')")=3B
> >>>>
> >>>>
> >>>>
> >>>> Ben Miller
> >>>>
> >>>>
> >>>>
> >>>
> >>> --=20
> >>> PHP General Mailing List (http://www.php.net/)
> >>> To unsubscribe=2C visit: http://www.php.net/unsub.php
> >>>
> >>>
> >>
> >> I like to use http://ca3.php.net/manual/en/function.htmlentities.php
> >>
> >=20
> > htmlentities should not be used on the data before it goes into the
> > database. If used it should be used on data coming out of the database.
> >=20
>=20
> To summarize:
>=20
> You should prep your data for insertion into the data by using a tool
> that formats it strictly for the database. In the ops case
> mysql_real_escape_string() is the correct tool for the job.
>=20
> htmlentities() is a presentation sanitizing/cleaning tool. But=2C it
> should only be used for output to the browser=2C etc... Same thing with
> htmlspecialchars() and all other related function.
>=20
>=20
>=20
> --=20
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe=2C visit: http://www.php.net/unsub.php
>=20

____________________________________________________________ _____
Descubra todas as novidades do novo Internet Explorer 8
http://brasil.microsoft.com.br/IE8/mergulhe/?utm_source=3DMS N%3BHotmail&utm=
_medium=3DTagline&utm_campaign=3DIE8=

--_6b999360-11d0-4af3-94cb-0221160e54fa_--

RE: Single Quotes in Form Inputs

From: Yuri Yarlei

> I think mysql_real_escape_string() is work well, but if
> you are use mysql db, if you are using another db, the best
> function is addslashes but for another special charactes
> you will need treat them with another ways

Slashes are the wrong character to use. The official SQL escape is a
single quote character. Some database managers accept either, but using
slashes can cause more problems than they solve. Find the correct
escape_string function for your database and use it.

Bob McConnell

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

>>>> You can use http://us.php.net/mysql_real_escape_string to escape the
>>>> input.
[8<]
> You should prep your data for insertion into the data by using a tool
> that formats it strictly for the database. In the ops case
> mysql_real_escape_string() is the correct tool for the job.

What about using prepared statements? This is my preferred method of
"escaping output" when I'm using variables in a database query. Of
course the ease and convenience of this method will depend to a great
extent on what version of PHP is available on the server.

For the OP, have you read up much on SQL injection? If not, here's a
decent place to start: http://www.owasp.org/index.php/SQL_injection

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

Ben Dunlap wrote:
>>>>> You can use http://us.php.net/mysql_real_escape_string to escape the
>>>>> input.
> [8<]
>> You should prep your data for insertion into the data by using a tool
>> that formats it strictly for the database. In the ops case
>> mysql_real_escape_string() is the correct tool for the job.
>
> What about using prepared statements? This is my preferred method of
> "escaping output" when I'm using variables in a database query. Of
> course the ease and convenience of this method will depend to a great
> extent on what version of PHP is available on the server.
>
> For the OP, have you read up much on SQL injection? If not, here's a
> decent place to start: http://www.owasp.org/index.php/SQL_injection
>
> Ben
>

Prepared statements are what I use.

-=-

The problem I have with htmlentities is that the entities are only
guaranteed for html. Many of the entities do not work in other sgml or
xml applications, it is better to just use the numbered entity (IE
  for a non breaking space) or for things like smart quotes,
possessive apostraphe's, etc. - the proper utf8 character directly (make
sure to serve document as utf8 encoded and that your database is set to
utf8)

I found that out the hard way, and had to redo a lot of stuff where I
previously used the php htmlentities function. Using the function to
spit out html is fine, but to write functions / classes you can re-use
in non html documents, you should avoid it all together.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php