More than one apostrophe - no insert

[JamesManke]

When submitting more than one apostrophe in a sentance through a form(in this case the comment), it will not insert into the database? With one apostrophe, no problems. Any more and it just doesn't Insert it. I need some help on this one.

Example:
Heres the form...

<form method='post' action='add_test.php?add=yes'>
<table>
<tr>
<td>New Testimonial:</td>
<td><textarea name='comment' cols='70'rows='5'></textarea></td>
</tr>
<tr>
<td colspan='2'><input type='submit' name='submit' value='Submit Information' /></td>
</tr>
</table>
</form>


Heres the query...

$sql = "INSERT INTO $table (comment) VALUES ('$_POST[comment]')";
mysql_query($sql);


Thanks for your help,
James

 

[skiflyer]

$sql = "INSERT INTO $table (comment) VALUES('".mysql_escape_string($_POST['comment'])."');";

Apostrophes are suspiciously similar to single quotes, which tells mysql that the particular field is over.

 

[JamesManke]

Thank You very much!

 

[Olavxxx]

also add:
trim() and strip_tags()

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[skiflyer]

I actually prefer html_entities() to strip_tags() in most scenarios... but it really depends on the application.

 

[Olavxxx]

htmlentities -- Convert all applicable characters to HTML entities

strip_tags -- Strip HTML and PHP tags from a string

strip_tags is for removing unwanted tags, while htmlentities, is for converting characters to HTML entities.

strip_tags != htmlentities

Example of htmlentity:
& -> &amp;

Example of striptags:
"<img src="

http://www.abuse.com/abuseimage.jpg">wtf"

-> "wtf"
"<meta refresh..." -> ""

strip_tags has an optional parameter, where you can specify allowed tags.

If the user can add any code he/she wishes, he/she can add javascript redirection, meta-refresh (with location), images with mature content, large font-styles, white font, hyperlinks to spam-related sites, etc.etc.

I for one, would LIMIT how many tags the user can use.
If images are allowed, and the site is for PG13 audience, only allow images that are on-site.

If you dont need images in your guestbook, dont allow them!
I would allow:
<b><br>

maybe I would allow <p>, but I'm not sure, as it might screw up your validation.

$foo = strip_tags($bar, $allowed);

where $allowed = '<b><br>';

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[skiflyer]

No, strip_tags != htmlentities.

But they both are equally effective in stopping the type of attacks you are describing.

Using your above example
<img src="

http://www.abuse.com/abuseimage.jpg">

becomes
&lt;img src="

http://www.abuse.com/abuseimage.jpg"&gt;

So the when reprinted to a browser, the tag is displayed rather than evaluated.

Depending on the content of the site in question one may be more relevant than the other.

 

[Olavxxx]

yes true, but why allow html in a regular guestbook?
if it's a "submit source" system, I see that this is the way to go, however.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Bastien]

the other old option is to replace the single quote with 2 single quotes...but then you still have to handle any other issues with the data

Bastien

Cat, the other other white meat

 

[Olavxxx]

you could also str_replace all occurrances.
you can use the str_replace with arrays of what to replace with what.

look at examples:

http://www.php.net/str_replace

truly very simple to use..
it's used for things like:
smiley-script, bad-word script, etc.

you can simply also gather data from a mysql database or a flatfile and use an array containing those values, to replace bad with good, or good with evil?

depends on what your purpose is. This is also how you can make your own page that makes cursewords on other pages..

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[skiflyer]

If I'm not mistaken all mysql_escape_string() is just a wrapper for str_replace which already knows which strings really matter.