Apostrophes in Form Fields

**djr33** · 12-26-2007, 12:46 PM

stripslashes removes the slashes added to the sent data that was meant to make it not a security threat (by placing a slash before any harmful command).

mysql_real_escape_string is a strangely named command that makes data safe for input into mysql. Without it, someone can send "; DROP TABLE `table`" in the data, which would end the first part of the query and execute that, or any other command they'd like, with a bit of planning.

I'm not sure if register_globals is default. I think not. However, it depends on how it was installed. If you do turn it off (good for security, as any variable then can be send by someone through a form), you will have to rewrite any script sthat use it.
Though easier, it's not a good idea to rely on that, so keep that in mind for any pages you add to the site.

I hope this helps.

**kuau** · 12-26-2007, 01:01 PM

Dear Daniel: Thanks for explaining. So is this correct?

global $First_Name;
global $Last_Name;
$First_Name = stripslashes($First_Name);
$First_Name = mysql_real_escape_string($First_Name);
$Last_Name = stripslashes($Last_Name);
$Last_Name = mysql_real_escape_string($Last_Name);

And will it solve the problem of someone entering an apostrophe in the form field?

Mahalo, erin

**djr33** · 12-26-2007, 01:09 PM

Though only testing will prove it, I guess that is right. That code is what I intended, yes.

**kuau** · 12-26-2007, 03:00 PM

Dear Daniel: OK, I added the code and tried entering a name with an apostrophe. Unfortunately, although the additional code probably protects against malicious code entires, an apostrophe still causes the name not to load into the database. Because a single quote is the field delimiter, as soon as mySQL see's the apostrophe, it thinks it is the start of the next field. Is there some kind of function or command that would cause the contents to be viewed as an encapsulated unit, sort of like triple quotes?

If you go to www.carrentalhawaii.com and click on the "Free Price Check" button, it will take you to the page in question and maybe it'll make more sense. I would think a lot of people would have the same problem. How do other people deal with people's names? There is another place on the site where there is a comment field and you can't even put something like "I'll call you" because of the apostrophe. This is driving me nuts. I sure hope someone has figured this out already. Thanks very much. Aloha, erin

**djr33** · 12-27-2007, 12:33 AM

I'm not sure then.

You are correct that the apostrophe is ending the string, but that is dealt with when you use mysql_real_escape_string... that's the whole point.

However, you may want to try NOT using stripslashes(), because that might be helping. Try removing that (leave mysql_...) then see what happens.

Troubleshooting this sort of thing can be strange. In theory what I've said should work, but that's... in theory.

**kuau** · 12-27-2007, 01:03 AM

Dear Daniel: Please don't think I expect you to second-guess this guy's funky code perfectly. I really appreciate your help - imagine how it is for me when I don't even understand the languages, so just not feeling alone with it is greatly reassuring.

I woke up to a phone message from the client saying that now NONE of the names were loading into the database for anyone (even with no apostrophes), so I had to remove the code. I'll try putting half of it back and see what happens. Now you see why I am so nervous about making changes to a live, ecommerce site.

This is what I just tried:

function replace_email_template_variables($body_text) {
// This function will replace the variables in the Body text for the email.
// This uses several global variables.
global $Today;
global $First_Name;
global $Last_Name;
$First_Name = mysql_real_escape_string($First_Name);
$Last_Name = mysql_real_escape_string($Last_Name);
global $Phone;
global $Email;

And besides loading blanks for the first & last names in the table, the email looks like this:

Dear ,

Whereas when I remove the extra code the email looks like this: Dear aa test aa,

Hopefully that will give you a clue as to why neither comamnd is working properly. Any ideas? Mahalo, erin

**Master_script_maker** · 12-27-2007, 01:33 AM

try

PHP Code:


$First_Name = addslashes($First_Name);

$Last_Name = addslashes($Last_Name);

instead of

PHP Code:


$First_Name = mysql_real_escape_string($First_Name);

$Last_Name = mysql_real_escape_string($Last_Name);

**kuau** · 12-27-2007, 05:16 PM

YES!! Thank you!! Now it does load names into the database with or without an apostrophe (and loads it without the apostrophe). However, it sends the email looking like this: Dear aa test O\'Brian, so I assume that means I have to use the stripslashes command somewhere before the email gets sent, no? I'll see if I can figure out where. Thanks a million! erin

**kuau** · 12-27-2007, 05:23 PM

I think this might be where to do it but do I stripslashes from %First_Name%? Not sure what this is.

$body_text = eregi_replace('%Today%', $Today, $body_text);
$body_text = eregi_replace('%First_Name%', $First_Name, $body_text);
$body_text = eregi_replace('%Last_Name%', $Last_Name, $body_text);
$body_text = eregi_replace('%Phone%', $Phone, $body_text);
$body_text = eregi_replace('%Email%', $Email, $body_text);

**kuau** · 12-31-2007, 12:17 PM

Is this correct?

Code:

$body_text = eregi_replace('%First_Name%', stripslashes($First_Name), $body_text);

Thread: Apostrophes in Form Fields

Thread Tools

Search Thread

Bookmarks

Bookmarks

Posting Permissions