Apostrophes in Form Fields

[Leafy]

Is this correct?

Code:

$body_text = eregi_replace('%First_Name%', stripslashes($First_Name), $body_text);

That looks correct.

Just to give you information, mysql_real_escape_string takes it's argument and escapes it so that it can be put in a query safely. You should use it when ever you are using data derived from the user.

For example, if you were reading their name from the form and they entered

Code:

O'; DROP DATABASE customers

And your code looks like this

PHP Code:

$customer = $_POST["first_name"];
$query = "SELECT * FROM purchases WHERE `Customer`='$customer$'"; 


When the query was sent to the SQL database, it looks like this:

Code:

SELECT * FROM purchases WHERE `Customer`='O'; DROP DATABASE customers;

Read more about it on Wikipedia under "SQL Injection".

[kuau]

Dear Leafy: Thanks very much for explaining about SQL Injection attacks. Daniel also warned me about this. I understand and would like to protect against this risk. The only problem is that as soon as I add the commands mysql_real_escape_string OR stripslashes to the code, the names totally disappear, ie. it loads blanks into the database where the names would be, or it gives an error message.

Maybe I am putting the commands in the wrong place. Does it matter that it is inside a function? Here is the whole function (minus extraneous variables):

Code:

function replace_email_template_variables($body_text) {
	global $Today;
	global $First_Name;
	global $Last_Name;
	$First_Name = addslashes($First_Name);
	$Last_Name = addslashes($Last_Name); 

	global $Phone;
	global $Email;

	$body_text = eregi_replace('%Today%', $Today, $body_text);
	$body_text = eregi_replace('%First_Name%', $First_Name, $body_text);
	$body_text = eregi_replace('%Last_Name%', $Last_Name, $body_text);
	$body_text = eregi_replace('%Phone%', $Phone, $body_text);
	$body_text = eregi_replace('%Email%', $Email, $body_text);

	return ($body_text);
}

Where does the mysql_real_escape_string go, and the stripslashes? Mahalo, erin