special characters causing POST error

Question

teajayo 0 Newbie Poster

14 Years Ago

Hi. I haven't been able to figure out how to allow names with apostrophes such as mine, O'Connor , to POST. Also someone tried to post a smiley face like :) and that also threw an error.

I have tried adding this :: mysql_query("SET NAMES 'utf8'"); // UTF 8 support!! before the variables to POST are defined, but that doesn't work. I am working on a vendor database and it is up and is searchable and can be added to... as long as the person doesn't type any single quotes or other characters. So I guess I need a snippet to add to insert.php before the POST variables... and will also need to add it to the update.php page when I create that... but one thing at a time. No sense going forward when the present is not working.

Am I making any sense? This is something that should be easy, but is driving me nuts.

Thanks - Tom

php

4 Contributors
14 Replies
88 Views
2 Days Discussion Span
Latest Post 14 Years Ago Latest Post by teajayo

diafol

14 Years Ago

use addslashes($string) before placing into DB.

In fact use mysql_real_escape_string($string).

diafol

14 Years Ago

$cid = mysql_connect($host,$usr,$pwd);
 
//check form posted - use the [B]name[/B] of the submit button to check
if (isset($_POST['submit']) { 
$companyname=mysql_real_escape_string($_POST['CompanyName']);
$city=mysql_real_escape_string($_POST['City']);
$st=mysql_real_escape_string($_POST['ST']);
$address=mysql_real_escape_string($_POST['Address']);
$zip=mysql_real_escape_string($_POST['Zip']);
$country=mysql_real_escape_string($_POST['Country']);
$vendortype=mysql_real_escape_string($_POST['VendorType']);

$url=mysql_real_escape_string($_POST['URL']);
$salutation=mysql_real_escape_string($_POST['Salutation']);
$firstname=mysql_real_escape_string($_POST['FirstName']);
$lastname=mysql_real_escape_string($_POST['LastName']);
$professionaltitle=mysql_real_escape_string($_POST['ProfessionalTitle']);
$emailaddress=mysql_real_escape_string($_POST['EmailAddress']);
$phonemain=mysql_real_escape_string($_POST['PhoneMain']);

$phonedirect=mysql_real_escape_string($_POST['PhoneDirect']);
$phonemobile=mysql_real_escape_string($_POST['PhoneMobile']);
$faxnumber=mysql_real_escape_string($_POST['FaxNumber']);
$accountinfo=mysql_real_escape_string($_POST['AccountInfo']);
$paymenttype=mysql_real_escape_string($_POST['PaymentType']);
$notes=mysql_real_escape_string($_POST['Notes']);
$lastmodifieddate=mysql_real_escape_string($_POST['LastModifiedDate']);

$sql = " INSERT INTO Vendors ";
$sql = $sql . " (CompanyName, City, ST, Address, Zip, Country, VendorType, URL, Salutation, FirstName, LastName, ProfessionalTitle, EmailAddress, PhoneMain, PhoneDirect, PhoneMobile, FaxNumber, AccountInfo, PaymentType, Notes, LastModifiedDate) VALUES ";
$sql = $sql . " ('$companyname','$city','$st','$address','$zip','$country','$vendortype','$url','$salutation','$firstname','$lastname','$professionaltitle','$emailaddress','$phonemain','$phonedirect','$phonemobile','$faxnumber','$accountinfo','$paymenttype','$notes','$lastmodifieddate') ";
$result = mysql_db_query($db,"$sql",$cid);

if (!$result) {
    echo("ERROR: " . mysql_error() . "\n$SQL\n"); }
	
	}

If you can't get mysql_real_escape_string($string) to work use addslashes(htmlentities($string)) instead.

You'll need to use stripslashes() when echoing values from DB.
htmlentities should protect from html injection. Including <script>. strip_tags() could also be useful if you want to allow certain html tags.

Edited 14 Years Ago by diafol because: n/a

diafol

14 Years Ago

Sorry, I don't understand your reply.

Your form will have a submit button field:

<input type="submit" [B]name="submit"[/B] id="submit" value="send me" />

or similar.

As for the rest of it. If you think it's ugly, well that's the price of cleaning or sanitizing.

almostbob 866 Retired: passive income ROCKS

14 Years Ago

Its ugly when it doesnt work,
Anything that works is beautiful
Ardav's code works => not ugly

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

teajayo 0 Newbie Poster · Answer 1 · 2010-03-28T02:06:27+00:00

use addslashes($string) before placing into DB.
In fact use mysql_real_escape_string($string).

Tried that. The database is on a website so anyone can type anything in to any field.

$cid = mysql_connect($host,$usr,$pwd);
 

if ($_SERVER['REQUEST_METHOD'] == "POST") { 

$companyname=$_POST['CompanyName'];
$city=$_POST['City'];
$st=$_POST['ST'];
$address=$_POST['Address'];
$zip=$_POST['Zip'];
$country=$_POST['Country'];
$vendortype=$_POST['VendorType'];

$url=$_POST['URL'];
$salutation=$_POST['Salutation'];
$firstname=$_POST['FirstName'];
$lastname=$_POST['LastName'];
$professionaltitle=$_POST['ProfessionalTitle'];
$emailaddress=$_POST['EmailAddress'];
$phonemain=$_POST['PhoneMain'];

$phonedirect=$_POST['PhoneDirect'];
$phonemobile=$_POST['PhoneMobile'];
$faxnumber=$_POST['FaxNumber'];
$accountinfo=$_POST['AccountInfo'];
$paymenttype=$_POST['PaymentType'];
$notes=$_POST['Notes'];
$lastmodifieddate=$_POST['LastModifiedDate'];

$sql = " INSERT INTO Vendors ";
$sql = $sql . " (CompanyName, City, ST, Address, Zip, Country, VendorType, URL, Salutation, FirstName, LastName, ProfessionalTitle, EmailAddress, PhoneMain, PhoneDirect, PhoneMobile, FaxNumber, AccountInfo, PaymentType, Notes, LastModifiedDate) VALUES ";
$sql = $sql . " ('$companyname','$city','$st','$address','$zip','$country','$vendortype','$url','$salutation','$firstname','$lastname','$professionaltitle','$emailaddress','$phonemain','$phonedirect','$phonemobile','$faxnumber','$accountinfo','$paymenttype','$notes','$lastmodifieddate') ";
$result = mysql_db_query($db,"$sql",$cid);

if (!$result) {
    echo("ERROR: " . mysql_error() . "\n$SQL\n"); }
	
	}

Where would I add it ? This is the page that adds a vendor.

teajayo 0 Newbie Poster · Answer 2 · 2010-03-28T06:04:50+00:00

$cid = mysql_connect($host,$usr,$pwd);
 
//check form posted - use the [B]name[/B] of the submit button to check
if (isset($_POST['submit']) { 
$companyname=mysql_real_escape_string($_POST['CompanyName']);
$city=mysql_real_escape_string($_POST['City']);
$st=mysql_real_escape_string($_POST['ST']);
$address=mysql_real_escape_string($_POST['Address']);
$zip=mysql_real_escape_string($_POST['Zip']);
$country=mysql_real_escape_string($_POST['Country']);
$vendortype=mysql_real_escape_string($_POST['VendorType']);

$url=mysql_real_escape_string($_POST['URL']);
$salutation=mysql_real_escape_string($_POST['Salutation']);
$firstname=mysql_real_escape_string($_POST['FirstName']);
$lastname=mysql_real_escape_string($_POST['LastName']);
$professionaltitle=mysql_real_escape_string($_POST['ProfessionalTitle']);
$emailaddress=mysql_real_escape_string($_POST['EmailAddress']);
$phonemain=mysql_real_escape_string($_POST['PhoneMain']);

$phonedirect=mysql_real_escape_string($_POST['PhoneDirect']);
$phonemobile=mysql_real_escape_string($_POST['PhoneMobile']);
$faxnumber=mysql_real_escape_string($_POST['FaxNumber']);
$accountinfo=mysql_real_escape_string($_POST['AccountInfo']);
$paymenttype=mysql_real_escape_string($_POST['PaymentType']);
$notes=mysql_real_escape_string($_POST['Notes']);
$lastmodifieddate=mysql_real_escape_string($_POST['LastModifiedDate']);

$sql = " INSERT INTO Vendors ";
$sql = $sql . " (CompanyName, City, ST, Address, Zip, Country, VendorType, URL, Salutation, FirstName, LastName, ProfessionalTitle, EmailAddress, PhoneMain, PhoneDirect, PhoneMobile, FaxNumber, AccountInfo, PaymentType, Notes, LastModifiedDate) VALUES ";
$sql = $sql . " ('$companyname','$city','$st','$address','$zip','$country','$vendortype','$url','$salutation','$firstname','$lastname','$professionaltitle','$emailaddress','$phonemain','$phonedirect','$phonemobile','$faxnumber','$accountinfo','$paymenttype','$notes','$lastmodifieddate') ";
$result = mysql_db_query($db,"$sql",$cid);

if (!$result) {
    echo("ERROR: " . mysql_error() . "\n$SQL\n"); }
	
	}

If you can't get mysql_real_escape_string($string) to work use addslashes(htmlentities($string)) instead.

You'll need to use stripslashes() when echoing values from DB.
htmlentities should protect from html injection. Including <script>. strip_tags() could also be useful if you want to allow certain html tags.

hmmmm yup. OK . That really doesn't make sense. I already have an IF statement and have found NO info on combining two. The code is getting really ugly. I already have this

if ($_SERVER['REQUEST_METHOD'] == "POST") { 

$companyname=$_POST['CompanyName'];
$city=$_POST['City'];
$st=$_POST['ST'];
$address=$_POST['Address'];
$zip=$_POST['Zip'];
$country=$_POST['Country'];
$vendortype=$_POST['VendorType'];

etc,etc

and you are suggesting to use this :: //check form posted - use the name of the submit button to check
if (isset($_POST) { However then will the form POST as it does now to insert.php without this >
($_SERVER == "POST")

The form is on add_vendor.php and the info you type in gets processed by insert.php

<form action="insert.php" method="post" accept-charset="utf-8">

teajayo 0 Newbie Poster · Answer 3 · 2010-03-28T07:37:45+00:00

Sorry, I don't understand your reply.
Your form will have a submit button field:
<input type="submit" [B]name="submit"[/B] id="submit" value="send me" />
or similar.
As for the rest of it. If you think it's ugly, well that's the price of cleaning or sanitizing.

Right OK. My submit field looks like this ::

<input name="addvendor" class="formButton" type="submit" value="Add Vendor &rarr;">

on the add_vendor page which has the ACTION of

<form action="insert.php" method="post" accept-charset="utf-8">

so it leads to the page insert.php which of course INSERTS a new row in the table with the info plugged in. Would you like the link to see my project work 50% done ? ; )

diafol · Answer 4 · 2010-03-28T16:07:01+00:00

Thanks AB.

This is the conditional:

if (isset($_POST['addvendor']) {

teajayo 0 Newbie Poster · Answer 5 · 2010-03-29T22:11:12+00:00

Thanks AB.
This is the conditional:
if (isset($_POST['addvendor']) {

Thanks for the tips. Could not get it to work though.

diafol · Answer 6 · 2010-03-29T22:15:19+00:00

Which bit doesn't work?

teajayo 0 Newbie Poster · Answer 7 · 2010-03-29T22:37:39+00:00

Which bit doesn't work?

SQL looks like this >>

if ($REQUEST_METHOD=="POST") {
		
		$companyname=$_POST['CompanyName'];
		$city=$_POST['City'];
		$st=$_POST['ST'];
		$address=$_POST['Address'];
		$zip=$_POST['Zip'];
		$country=$_POST['Country'];
		$vendortype=$_POST['VendorType'];
		
		$url=$_POST['URL'];
		$salutation=$_POST['Salutation'];
		$firstname=$_POST['FirstName'];
		$lastname=$_POST['LastName'];
		$professionaltitle=$_POST['ProfessionalTitle'];
		$emailaddress=$_POST['EmailAddress'];
		$phonemain=$_POST['PhoneMain'];
		
		$phonedirect=$_POST['PhoneDirect'];
		$phonemobile=$_POST['PhoneMobile'];
		$faxnumber=$_POST['FaxNumber'];
		$accountinfo=$_POST['AccountInfo'];
		$paymenttype=$_POST['PaymentType'];
		$notes=$_POST['Notes'];
		$lastmodifieddate=$_POST['LastModifiedDate'];

		// setup SQL statement
		$SQL = " UPDATE Vendors SET";
		$SQL = $SQL . " CompanyName = '" . $companyname . "', ";
		$SQL = $SQL . " City = '" . $city . "', ";
		$SQL = $SQL . " ST = '". $st . "', ";
		$SQL = $SQL . " Address = '" . $address . "', ";
		$SQL = $SQL . " Zip = '" . $zip . "', ";
		$SQL = $SQL . " Country = '" . $country . "', ";
		$SQL = $SQL . " VendorType = '" . $vendortype . "', ";
		$SQL = $SQL . " URL = '" . $url . "', ";
		$SQL = $SQL . " Salutation = '" . $salutation . "', ";
		$SQL = $SQL . " FirstName = '" . $firstname . "', ";
		$SQL = $SQL . " LastName = '" . $lastname . "', ";
		$SQL = $SQL . " ProfessionalTitle = '" . $professionaltitle . "', ";
		$SQL = $SQL . " EmailAddress = '" . $emailaddress . "', ";
		$SQL = $SQL . " PhoneMain = '" . $phonemain . "', ";
		$SQL = $SQL . " PhoneDirect = '" . $phonedirect . "', ";
		$SQL = $SQL . " PhoneMobile = '" . $phonemobile . "', ";
		$SQL = $SQL . " FaxNumber = '" . $faxnumber . "', ";
		$SQL = $SQL . " AccountInfo = '" . $accountinfo . "', ";
		$SQL = $SQL . " PaymentType = '" . $paymenttype . "', ";
		$SQL = $SQL . " Notes = '" . $notes . "', ";
		$SQL = $SQL . " LastModifiedDate = '" . $lastmodifieddate . "'";
		$SQL = $SQL . " WHERE ID = " . $ID;

Form looks like this >>

<form name="fa" action="manageedit.php" method="post" accept-charset="utf-8">
<input type="hidden" size="25" class="formText2" maxlength="255" name="ID" value="<?php echo("$id"); ?>">
<table width="100%" border="0" background="" bgcolor="" cellspacing="0" cellpadding="0">
<tr><td valign="top">
<span class="formText"><b>Company Name:</b><br />
<input type="text" size="25" class="formText2" maxlength="255" name="CompanyName" value="<?php echo("$companyname"); ?>"></span><br /><br />
</td></tr>
<tr><td valign="top">
<span class="formText"><b>City:</b><br>
<input type="text" size="25" class="formText2" maxlength="255" name="City" value="<?php echo("$city"); ?>"></span><br /><br />
</td><td valign="top"><p><br /><input  class="formButton" type="submit" name="submit" value="Update Vendor &rarr;"></p>
</table>
</form>

Of course the other fields are in the form. I tried adding the code you suggested, and the entire app crashed. This is my REQUEST method >

if ($REQUEST_METHOD=="POST") {

It will not work adding the bit you mentioned.
I'll keep looking to find a way to SUBMIT the form's too the database and not generate errors when people use ' or :) etc.

I'm fairly new to getting php to read into and output and edit mysql. But I am trying.

Tekkno 1 Junior Poster · Answer 8 · 2010-03-29T23:30:41+00:00

teajayo,
Unfortunately there is no simple solution for this. In case you don't understand the reason it is happening, I will explain. When the user enters the special characters in the text field or text area, it can interfere with the MySQL query. Therefore, before entering the data into the database the string needs to be encoded into something that MySQL will essentially ignore. The difficulty, is that once the data is encoded and entered into the database, it needs to be decoded in order to use it. You should be able to accomplish the encoding using htmlentities as ardav suggested, you can also use htmlspecialchars. I am sort of shooting at the hip here as I have not tried these functions myself. Maybe if I provide an example it will help you.

$cid = mysql_connect($host,$usr,$pwd);
 
//check form posted - use the name of the submit button to check
if (isset($_POST['submit']) {
$companyname=mysql_real_escape_string($_POST['CompanyName']);
$companyname=htmlentities($companyname, ENT_QUOTES); 
$city=mysql_real_escape_string($_POST['City']);
$city=htmlentities($city, ENT_QUOTES);
$st=mysql_real_escape_string($_POST['ST']);
$st=htmlentities($st, ENT_QUOTES);
$address=mysql_real_escape_string($_POST['Address']);
$address=htmlentities($address, ENT_QUOTES);
$zip=mysql_real_escape_string($_POST['Zip']);
$zip=htmlentities($zip, ENT_QUOTES);
$country=mysql_real_escape_string($_POST['Country']);
$country=htmlentities($country, ENT_QUOTES);
$vendortype=mysql_real_escape_string($_POST['VendorType']);
$vendortype=htmlentities($vendortype, ENT_QUOTES);

Then you should just have to use html_entity_decode() in order to decode it. I just added it to the top group for reference, just test that and see if it works for you. You may need to remove the mysql_real_escape_string function as this is essentially adding a \ to some of the characters which may complicate things. It's just going to take research with trial and error. Sorry for the long post I am bored at work.

diafol · Answer 9 · 2010-03-29T23:42:52+00:00

I suggested changing things, but it seems the only thing that you've changed is the name of the submit button.

Sorry mate, I'm bugging out.

teajayo 0 Newbie Poster · Answer 10 · 2010-03-30T02:04:23+00:00

I suggested changing things, but it seems the only thing that you've changed is the name of the submit button.
Sorry mate, I'm bugging out.

I'm Giving up for the time being. Thanks.