Single Quotes in Form Inputs

------=_NextPart_000_009C_01CA0EA6.0F889610
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,



I have a form in which my sales reps can add new clients into the database,
but I'm running into a problem if the client's name includes a single quote,
such as O'Henry, when it comes time to input the form data into the database
table. I'm guessing I need to use ereg_replace, or something similar, to
change the single quote, but I still can't seem to get the syntax right.
Any help would be appreciated. For what it's worth, here is a shortened
version of what I have:



$ firstName = "$_POST[form_firstName]";

$ lastname = "$_POST[form_lastName]";



$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");



Ben Miller




------=_NextPart_000_009C_01CA0EA6.0F889610--

Re: Single Quotes in Form Inputs

> Hi,
>
>
>
> I have a form in which my sales reps can add new clients into the database,
> but I'm running into a problem if the client's name includes a single quote,
> such as O'Henry, when it comes time to input the form data into the database
> table. I'm guessing I need to use ereg_replace, or something similar, to
> change the single quote, but I still can't seem to get the syntax right.
> Any help would be appreciated. For what it's worth, here is a shortened
> version of what I have:

You shouldn't be trusting form data. Single quotes can also be used to
add SQL injection.

Replace these two lines:

> $ firstName = "$_POST[form_firstName]";
> $ lastname = "$_POST[form_lastName]";

with:

$ firstName = mysql_real_escape_string($_POST['form_firstName'], $conn);
$ lastname = mysql_real_escape_string($_POST['form_lastName'], $conn);

Where $conn is your connection resource. Note also I've quoted the key
names, as they should be unless they are valid constants.
This will escape any newlines, apostrophes (single quotes), etc. and is
the absolute minimum you should be doing with any data you do not supply
yourself

> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
> VALUES ('$firstName','$lastName')");
>
>
>
> Ben Miller

BTW ereg functions are deprecated in PHP 5.3, so now would be a good
time to start using the PCRE equivalents.


--
Niel Archer
niel.archer (at) blueyonder.co.uk



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

--00163645715e4ef547046fbbafa3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

You can also use addslashes

On Mon, Jul 27, 2009 at 11:46 PM, Niel Archer wrote:

> > Hi,
> >
> >
> >
> > I have a form in which my sales reps can add new clients into the
> database,
> > but I'm running into a problem if the client's name includes a single
> quote,
> > such as O'Henry, when it comes time to input the form data into the
> database
> > table. I'm guessing I need to use ereg_replace, or something similar, to
> > change the single quote, but I still can't seem to get the syntax right.
> > Any help would be appreciated. For what it's worth, here is a shortened
> > version of what I have:
>
> You shouldn't be trusting form data. Single quotes can also be used to
> add SQL injection.
>
> Replace these two lines:
>
> > $ firstName = "$_POST[form_firstName]";
> > $ lastname = "$_POST[form_lastName]";
>
> with:
>
> $ firstName = mysql_real_escape_string($_POST['form_firstName'], $conn);
> $ lastname = mysql_real_escape_string($_POST['form_lastName'], $conn);
>
> Where $conn is your connection resource. Note also I've quoted the key
> names, as they should be unless they are valid constants.
> This will escape any newlines, apostrophes (single quotes), etc. and is
> the absolute minimum you should be doing with any data you do not supply
> yourself
>
> > $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
> > VALUES ('$firstName','$lastName')");
> >
> >
> >
> > Ben Miller
>
> BTW ereg functions are deprecated in PHP 5.3, so now would be a good
> time to start using the PCRE equivalents.
>
>
> --
> Niel Archer
> niel.archer (at) blueyonder.co.uk
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Regards
MANU

--00163645715e4ef547046fbbafa3--

Re: Single Quotes in Form Inputs

Manu Gupta wrote:
> You can also use addslashes

No, you can't.

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-re al-escape-string

good reasons why addslashes is the wrong thing to use.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to
addslashes and mysql_real_escape_string

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

> I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to
> addslashes and mysql_real_escape_string

I prefer PDO myself. However, it is not necessarily safer. When using
prepared statements the parameters are automatically escaped similar to
mysql(i)_real_escape_string, if my reading of the documentation is
correct. But as far as I can tell no escaping is performed on PDO::query
or PDO::exec other than what you do yourself, so you have the same risks
that need to be addressed.
>

--
Niel Archer
niel.archer (at) blueyonder.co.uk



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single Quotes in Form Inputs

Niel Archer wrote:
>> I prefer PHP Data Objects http://in3.php.net/manual/en/book.pdo.php to
>> addslashes and mysql_real_escape_string
>
> I prefer PDO myself. However, it is not necessarily safer. When using
> prepared statements the parameters are automatically escaped similar to
> mysql(i)_real_escape_string, if my reading of the documentation is
> correct.

No, prepared statements are better than that. The database knows that
what you pass in can only be data, and you can't get out of that
"parameter" thus you're safe from sql-injection. (I'm trying to find a
decent doc that explains this but can't find anything).

> But as far as I can tell no escaping is performed on PDO::query
> or PDO::exec other than what you do yourself, so you have the same risks
> that need to be addressed.

Correct. See PDO::Quote (http://www.php.net/manual/en/pdo.quote.php).

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php