quote marks in sql causing problems

Z

ZAccimiVep

New Member
I have a simple html input textbox in a very simple form. the information form this form is transmitted to a mysql database with an sql string.Everything works slick, except when someone types " or '. I don't want to limit the users as to what they can type.Should I do a find and replace to the string before I run the query against the database?Is there a simple way?here's some code:\[code\]<?phpsession_start();if (empty($_SESSION['user']) && empty($_REQUEST['form'])) //check this code!!1{ exit;}if (isset($_REQUEST['Submit'])){ //echo "Let's process this form!"; include "config.php"; include "mail.php"; if ($_REQUEST['form'] == "profile") {//public profile //print_r($_REQUEST); //"UPDATE `tims`.`pending_profile` SET `nickname` = 'I Don''t Have One' WHERE `pending_profile`.`id` = 1;"; $sql = "INSERT INTO `tims`.`pending_profile`" . "(`id`, `nickname`, `location`, `role`, `yog`, `interests`, `favMoment`, `gainThisYr`, `futurePlans`, `bio`) \n" . "VALUES ('" . $_SESSION['id'] . "', '" . $_REQUEST['nickname'] . "', '" . $_REQUEST['town'] . "', '" . $_REQUEST['role'] . "', '" . $_REQUEST['yog'] . "', '" . $_REQUEST['interests'] . "', '" . $_REQUEST['fav_moment'] . "', '" . $_REQUEST['gain'] . "', '" . $_REQUEST['future'] . "', '" . $_REQUEST['bio'] . "')\n" . "ON DUPLICATE KEY UPDATE nickname ='" . $_REQUEST['nickname'] . "', location='" . $_REQUEST['town'] . "', role= '" . $_REQUEST['role'] . "', yog='" . $_REQUEST['yog'] . "', interests='" . $_REQUEST['interests'] . "', favMoment='" . $_REQUEST['fav_moment'] . "', gainThisYr='" . $_REQUEST['gain'] . "', futurePlans='" . $_REQUEST['future'] . "', bio='" . $_REQUEST['bio'] . "'\n"; $qry = mysql_query($sql) or die(mysql_error());//@todo overlay this//http://flowplayer.org/tools/overlay/index.html //send mail to moderators include "vars.php"; $to = $captMail; $prof = implode("\n", $_REQUEST); $subject = "Moderation Needed"; $body = $_SESSION['fullname'] . " Has just changed their public profile.\n" . "Please login here to moderate their changes:\n" . //"http://team2648.com/OPIS/login.php?page=manage". "http://www." . $sysurl . "/login.php?page=manage\n" . "Best,\n" . "Blake\n\n\n" . "Click here to accept the profile bleow\n\n" . "http://www." . $sysurl . "/login.php?page=manage&acceptID=".$_SESSION['id']."\n" . $prof; mailer($to, $subject, $body); $to = $mentorMail; mailer($to, $subject, $body); echo "<link href=http://stackoverflow.com/"../css/styling.css\" rel=\"stylesheet\" type=\"text/css\" media=\"screen\" />"; echo "<div class =\"widget\" style=\"width:350px\">"; echo "Your changes have been saved, they will not go live until reviewed by a moderator"; echo "<br>"; echo "<a href=http://stackoverflow.com/"../\">Click here to continue</a>"; echo "</div>"; } exit;}$sql = "SELECT * FROM `pending_profile` WHERE id ='" . $_SESSION['id'] . "'";$qry = mysql_query($sql) or die(mysql_error());$row = mysql_fetch_assoc($qry);?><!--<h3>Use this page to manage your profile information</h3>--><h4>Public Profile</h4><strong>NOTE:</strong> Fields filled with [NONE] will not show on the website.<br /><form id="profile" name="profile" method="get" action="lib/preview.php"> <input type="hidden" value="http://stackoverflow.com/questions/3814770/profile" name="form"> <input type="hidden" value="http://stackoverflow.com/questions/3814770/<?php echo $_SESSION['id']; ?>" name="id"> <table> <tr> <td><label for="myname">Hello, My name is:</label><td> <td><input type="text" readonly="readonly" name="myname" value="http://stackoverflow.com/questions/3814770/<?php echo $_SESSION['firstname']; ?>"/><td> </tr> <tr> <td><label for="nickname">But I like to be called:</label><td> <td><input type="text" name="nickname" value="http://stackoverflow.com/questions/3814770/<?php echo $row['nickname']; ?>"/><td> </tr> <tr> <td><label for="town">I live in:</label><td> <td><input type="text" name="town" value="http://stackoverflow.com/questions/3814770/<?php echo $row['location']; ?>"/><td> </tr> <tr> <td><label for="role">My role on the team is:</label><td> <td><input type="text" name="role" value="http://stackoverflow.com/questions/3814770/<?php echo $row['role']; ?>"/><td> </tr> <tr> <td><label for="yog">I will graduate High School in:</label><td> <td><input type="text" name="yog" value="http://stackoverflow.com/questions/3814770/<?php echo $row['yog']; ?>"/><td> </tr> <tr> <td><label for="interests">Some of my interests are:</label><td> <td><input type="text" name="interests" value="http://stackoverflow.com/questions/3814770/<?php echo $row['interests']; ?>"/><td> </tr> <tr> <td><label for="fav_moment">One of my favorite team moments:</label><td> <td><input type="text" name="fav_moment" value="http://stackoverflow.com/questions/3814770/<?php echo $row['favMoment']; ?>"/><td> </tr> <tr> <td><label for="gain">I would like to gain the following this year:</label><td> <td><input type="text" name="gain" value="http://stackoverflow.com/questions/3814770/<?php echo $row['gainThisYr']; ?>"/><td> </tr> <tr> <td><label for="future">My future plans include:</label><td> <td><input type="text" name="future" value="http://stackoverflow.com/questions/3814770/<?php echo $row['futurePlans']; ?>"/><td> </tr> <tr> <td><label for="bio">My Bio:</label><td> <td><textarea name="bio" ><?php echo $row['bio']; ?></textarea><td> </tr> </table> * All fields are required.<?phpinclude "disclaimer.php";// @todo add js validation of all fields filled in?> <br><input type="submit" name="Submit" value="http://stackoverflow.com/questions/3814770/I Agree, Preview"/></form>\[/code\]
 
You must log in or register to reply here.
Back
Top