Apostrophes in Form Fields

[kuau]

I have a form into which customers enter their first and last names. A php script loads the values into a mySQL table. If their name contains an apostrophe (eg. O'Brian), I tell them to put two apostrophes in a row. Is there a more elegant way to handle this problem? I tried using double quotes as the php delimiter but it caused even more problems.

Would really appreciate some insight. Thanks. erin

[Twey]

You should be using mysql_real_escape_string(). stripslashes() may also be necessary depending on configuration (if you need to apply it, make sure you do so before mysql_real_escape_string()).

[kuau]

Where should I be using it... where I load the values? For example:

$sql = "INSERT INTO booking (...Book_First_Name,Book_Last_Name,...)

VALUES (... 'mysql_real_escape_string($First_Name)', 'mysql_real_escape_string($Last_Name), .... ";

I know the former programmer tried stripslashes() somewhere regarding a similar problem and it didn't prevent error messages when there was an apostrophe. I thought stripslashes was for if you inserted slashes before special characters and then had to remove them prior to display, but how do you insert them when it is the client doing the typing? (sorry for these lame questions). Aloha, erin

[Twey]

When you define $First_Name and $Last_Name (which variable names, by the way, go against PHP convention such as it is). You can use a helper array:

Code:

$v = array_map('mysql_real_escape_string', $_POST);

I know the former programmer tried stripslashes() somewhere regarding a similar problem and it didn't prevent error messages when there was an apostrophe. I thought stripslashes was for if you inserted slashes before special characters and then had to remove them prior to display

Sometimes, depending on server config, they're inserted automatically where you don't want them, and mess things up.

[kuau]

I inherited this code from some guy who refused to maintain the site (I can see why) so the client came to me. I always use lowercase letters in php and mySQL... I'm assuming that's what you mean but he didn't. I'm afraid to change things too much in case the site crashes and burns. Most things pretty much work so I just try to fix the things that don't because I had never laid eyes on php, js, or mySQL before this.

I found this in the php... is this what you mean?

global $First_Name;
global $Last_Name;

Or do you mean in the html where the form fields are created?
<input type="text" name="Last_Name" size="25" style="font-size: 10px">

I have never encountered $_POST in his code so have not learned about how to use that yet. This is no doubt the worst way to learn, from someone's bad code. He did tell me that his code would not work in php 5 due to security violations (?). Something to look forward to I guess. Thanks for your help.

[djr33]

If "register globals" is set in php.ini, it will convert all values of the $_POST array (global form data from what was sent) automatically.
Instead of $_POST['fieldname'], $fieldname can be used.
Lazy and easy, yes, but also can become confusing.
If the system is already setup, don't worry about it.

After the global $var; structure, just do it there.
global $var;
$var = stripslashes($var);
$var = mysql_real_escape_string($var);

etc.

Hope this gets you started.

[Twey]

Lazy and easy, yes, but also can become confusing.

And insecure -- thus, it's turned off in a lot of installations, where that code will not work.

[djr33]

Indeed, though I infer it would take rewriting the whole site to remove this reliance.

[Twey]

It is worth it, however.

[kuau]

I checked the php.ini (php4) and register_globals is on (although I did not turn it on). Is that the default for php4?

Twey was saying it is better to turn register_globals off (?) but I don't know enough php to anticipate and fix the repercussions of doing so across the site. And the client won't want to pay for it. There is no sensitive info taken or stored with the site, so, leaving well enough alone, is this what I do?

global $First_Name;
global $Last_Name;
$First_Name = stripslashes($First_Name);
$First_Name = mysql_real_escape_string($First_Name);
$Last_Name = stripslashes($Last_Name);
$Last_Name = mysql_real_escape_string($Last_Name);

If the above is correct, is that the only thing I have to do? I understand the stripslashes (I think), but what exactly does mysql_real_escape_string do? Interpret the entire contents of the variable as a text string?

Thanks so much for your help. Aloha, erin