• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Escape quotes/strip slashes.

#1
[eluser]jrutter[/eluser]
My insert code isnt stripping quotes and adding slashes, so when a user adds data with quotes, it breaks my application. So Im not sure what I need to do to make this work.

here is my insert code:

Code:
function insert_park()
    {
        $this->park_name   = $_POST['park_name'];
        $this->park_description   = $_POST['park_description'];
        $this->park_website   = $_POST['park_website'];
        $this->park_addr1   = $_POST['park_addr1'];
        $this->park_city   = $_POST['park_city'];
        $this->park_state   = $_POST['park_state'];
        $this->park_zip   = $_POST['park_zip'];
        $this->park_visible   = $_POST['park_visible'];
        
        $this->db->insert('parks_tbl', $this);
        
    }

Any help would be greatly appreciated!

#2
[eluser]xzela[/eluser]
Try using an array and see if that helps:

Code:
function insert_park() {
  $fields = array();

  $fields['park_name'] = $_POST['park_name'];
  $fields['park_description '] = $_POST['park_description'];
  $fields['park_website'] = $_POST['park_website'];
  $fields['park_addr1'] = $_POST['park_addr1'];
  $fields['park_city'] = $_POST['park_city'];
  $fields['park_state'] = $_POST['park_state'];
  $fields['park_zip'] = $_POST['park_zip'];
  $fields['park_visible'] = $_POST['park_visible'];

  $this->db->insert('parks_tbl', $fields);
        
}

#3
[eluser]jrutter[/eluser]
It seems to be storing it correctly in the database, but Im having trouble when I output the data here:

Any thoughts?

&lt;?php echo "var infoHTML = '<a >park_id."\">".$row->park_name."</a><br>".$row->park_city.",".$row->park_state."';"."\n";?&gt;

It seems to get confused with the single quotes, and see's the single quotation in the name of the park as the closing one here. Hmm.

#4
[eluser]xzela[/eluser]
I'll have to assume that you're throwing this into a javascript string. You should probably to use PHPs 'htmlspecialchars' method.

try this:
Code:
&lt;?php
//fields that could have quotes
$park_name = htmlspecialchars($row->park_name);
$park_city = htmlspecialchars($row->park_city;
$park_state = htmlspecialchars($row->park_city);
?&gt;

#5
[eluser]jrutter[/eluser]
Yes, Im using an echo statement to try to get it into a js function for google maps. It works, until there is a park name with single quotes. Is there a php function that will add a slash to any quotes it finds?

#6
[eluser]xzela[/eluser]
yes, it's called addslashes();

hope this helps

#7
[eluser]jrutter[/eluser]
I tried that, and it add's the slashes. But Im getting a conflict still.

Basically, from that statement above - if the name has a single quote it - it conflicts with the string as a whole in single quotes and bugs out. Do you have any ideas of a way around that?

You have been a great help so far Smile

#8
[eluser]xzela[/eluser]
Try this:
Also, note that i removed the '\n' command as it is not needed at the moment.

Code:
&lt;?php
    $park_id = $row->park_id;
    $park_name = $row->park_name;
    $park_city = $row->park_city;
    $park_state = $row->park_state;
    $string = "<a >" . $park_id . "/". $park_name . "</a><br>" . $park_city. "," . $park_state;
    $html_info = addslashes($string);
?&gt;
var htmlInfo = "&lt;?php echo $html_info; ?&gt;";

I don't know if this is going to work for what you need. But i tested it with a single quote and it appeared to work.

#9
[eluser]jrutter[/eluser]
Excellent! I really appreciate the help on this. Let me see if I can make it work...

#10
[eluser]jrutter[/eluser]
I owe you a big thanks! With your help, I got it working! Thank you so much!

Here is the code:

Code:
&lt;?php $park_id = $row->park_id;?&gt;
            &lt;?php $park_name = $row->park_name;?&gt;
            &lt;?php $park_city = $row->park_city;?&gt;
            &lt;?php $park_state = $row->park_state;?&gt;
            &lt;?php $park_lat = $row->park_latitude;?&gt;
            &lt;?php $park_long = $row->park_longitude;?&gt;
            &lt;?php $string = "<a >" . $park_name . "</a><br>" . $park_city. "," . $park_state; ?&gt;
            
            &lt;?php $infoHTML = addslashes($string); ?&gt;
            
        var infoHTML = "&lt;?php echo $infoHTML; ?&gt;";


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.