473,320 Members | 2,048 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

htmlspecialchars doesn't appear to be working

155 100+
I'm using this:
[PHP]<?php
if (isset($_POST['submitted']))
{

$city = htmlspecialchars($_POST['city']);

if (!get_magic_quotes_gpc())
{
$city = addslashes($city);
}

$query = "INSERT INTO table VALUES ('', '$city');
$result = mysql_query($query) or die('There was an error');
if ($result)

echo "<br>Entry Added!";
footer(); // Include the HTML footer.
exit();
mysql_close();
}
?>

The form goes here.[/PHP]

Isn't this suppost to change the @ sign and put slashes before single quotations (')? When I look into my database I don't see where these have been changed. I'm not seeing a problem on the front side, but could it become a problem?

I've not allowed a user to submit data directly into my database before. I've always used a form-mail to have the user information sent to me, then I would put the data into the database. However, there is a time delay in doing it this way and I'd like the user to be able to edit his/her's own information. Just want to have some sense of security though.

Why is this showing up in red?
Jul 28 '07 #1
3 3215
kovik
1,044 Expert 1GB
Isn't this suppost to change the @ sign and put slashes before single quotations (')? When I look into my database I don't see where these have been changed. I'm not seeing a problem on the front side, but could it become a problem?
No, it is not. htmlspecialchars() is meant to convert HTML entities into their encoded counterparts. For example, the ampersand (&) would become &amp; and the less than sign (<) would become &lt;. It should not be used when putting information into the database; only when taking information out of it. It is meant to filter out any HTML input so that you can avoid abuse and XSS (cross-site scripting) and users can't use HTML against you, such as the <script> tag.

If you want to escape data going into the database, you need to use mysql_real_escape_string(). It filters information for your SQL queries and should be used on all of your data that you put into your queries unless you typecast it to an integer. It will escape all necessary characters so that the query does not fail and you are not vulnerable to SQL injection.

The change will not be visible if you look in the database. MySQL displays escaped characters the way that it should.

Why is this showing up in red?
It is showing up in red because you forgot to close the quotes on the query.
Jul 28 '07 #2
DavidPr
155 100+
I don't get the "A "Best Practice" query" example on the mysql_real_escape_string website and wouldn't know how to use it with my form.

They have database fields named name, description, but use these variables $product_name, $product_description . Then use these values %s, %s, %d.

For simplicity sake they should have kept to using the same variable they started out with throughout the example.

They use something different in each step of the process. As a novice, I can't read this example and implement it without -- knowing -- that it would churn out error after error after error.

Expand|Select|Wrap|Line Numbers
  1. Is there a complete, yet simple way to implement mysql_real_escape_string and whatever else is necessary, to allow a user to submit data directly to the database and have some level of assurance that your server and website will not be destroyed?
I doubt my website will ever reach the level of Google or Yahoo, so I probably don't need the same level of security that they have. I just want to institute a small job board to use in my area.

I would like for a user to be able use <i></i>, <b></b>, <u></u> and maybe even <li></li> tags. A little HTML to dress up the ad a little if they would like.


I found this:
[PHP]function safe_sql( $value )
{
$value = nl2br($value);
$value = trim(strip_tags($value,'<br>'));
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
}
return $value;
} // End of Function[/PHP]

I read where all these is a good idea: trim, strip_tags and mysql_real_escape_string. The above uses these. How would I use this function or rather how would I need to write all my field variables to take advantage of this function - $value?
Jul 28 '07 #3
kovik
1,044 Expert 1GB
Firstly, that function is disgusting and pointless. It's basically a way to clean up magic_quotes if they are on prior to escaping, but magic_quotes should be dealt with separately. They are turned off by default.

I'm not sure what part of the examples you don't get. mysql_real_escape_string() is a function. It's that simple. You pass all values through it before inputting something into the database, and you'll be generally safe from SQL injection.

Expand|Select|Wrap|Line Numbers
  1. mysql_query("INSERT INTO `table` SET `name` = '" . mysql_real_escape_string($_POST['name']) . "';");
Jul 29 '07 #4

Sign in to post your reply or Sign up for a free account.

Similar topics

2
by: Phil Powell | last post by:
If $val is the following: ....Just revamped the site's Content Management Application I built.. so do bear in mind.. sorry! Phil stripslashes(htmlspecialchars($val)) should produce the...
3
by: SoulSniper | last post by:
I'm working on a modification to a popular blog script, the modification is for putting source code into a post for the world to see. The idea is exactly the same as putting code into a post on a...
1
by: leegold2 | last post by:
Newbie question I guess. Please show me how to use the htmlspecialchars function in the form below, Thanks: <form action="formtest1.php?c=1" method=POST> <b>Find Results with: These words:...
1
by: brianj | last post by:
Running php 4.3.6 on winxp machine I have following code: ----------------------------------------------------------------------- Restaurants <select size='1' name='restaurants'> <? while (...
149
by: Christopher Benson-Manica | last post by:
(Followups set to comp.std.c. Apologies if the crosspost is unwelcome.) strchr() is to strrchr() as strstr() is to strrstr(), but strrstr() isn't part of the standard. Why not? --...
2
by: universalbitmapper | last post by:
Hi, $new = htmlspecialchars("<a href=", ENT_QUOTES, 'ISO-8859-15'); echo $new; displays: <a href Instead of :
1
by: Software Engineer | last post by:
Testing htmlspecialchars() PHP Function - Converting HTML Characters http://sqa.fyicenter.com/Online_Test_Tools/Test_htmlspecialchars_PHP_Function.php When data needs to be presented in Web...
3
by: DavidPr | last post by:
I have this when posting to a database: $a = htmlspecialchars($_POST); $a = addslashes($a); I have this when displaying the data on a Web page:...
8
by: mijn naam | last post by:
Can someone please explain to me why/when one would use htmlspecialchars instead of htmlentities? I know: if you only want to get certain characters translated. This is not the answer I'm...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.