Removing Slashes In Forms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Removing Slashes In Forms

Post by furiousweebee »

I'll keep this simple. ;)

I have a form that submits data from the form fields into a MySQL database. People's names may contain an apostrophe so when they enter that, I want it to store the result just like any other. At the moment, my script puts a slash in front of the apostrophe when it stores it. Here's my code:

Code: Select all

<?php
$date=date("d-m-Y");
$database_name = "my_database";
$dbh = mysql_connect("localhost","username","password");
if (!mysql_select_db($database_name)) {
  echo "Unable to select "$database_name" database";
}

$first_name	= ltrim(rtrim(strip_tags(addslashes($_POST['first_name']))));
$last_name	= ltrim(rtrim(strip_tags(addslashes($_POST['last_name']))));
$birth_year	= ltrim(rtrim(strip_tags(addslashes($_POST['birth_year']))));
$email		= ltrim(rtrim(strip_tags(addslashes($_POST['email']))));
$address		= ltrim(rtrim(strip_tags(addslashes($_POST['address']))));
$city		= ltrim(rtrim(strip_tags(addslashes($_POST['city']))));
$state_province	= ltrim(rtrim(strip_tags(addslashes($_POST['state_province']))));
$country		= ltrim(rtrim(strip_tags(addslashes($_POST['country']))));
$zip		= ltrim(rtrim(strip_tags(addslashes($_POST['zip']))));
$continent		= ltrim(rtrim(strip_tags(addslashes($_POST['continent']))));
$phone		= ltrim(rtrim(strip_tags(addslashes($_POST['phone']))));
$major_city	= ltrim(rtrim(strip_tags(addslashes($_POST['major_city']))));
$faves		= ltrim(rtrim(strip_tags(addslashes($_POST['faves']))));
$comments	= ltrim(rtrim(strip_tags(addslashes($_POST['comments']))));

// VALIDATION
if(empty($first_name) || empty($last_name) || empty($email) || empty($address) || empty($city) || empty($country) || empty($zip) || empty($continent)) {

echo "<span class="error">Error!</span><br><br>You have not filled in all the required fields.<br><br><a href="javascript:history.go(-1)">Click here to go back to the form.</a>";
}

elseif(!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {

echo "<span class="error">Error!</span><br><br>The email address you have entered is invalid.<br><br><a href="javascript:history.go(-1)">Click here to go back to the form.</a>";
}
else {

$sql = "insert into street_team (date, first_name, last_name, birth_year, email, address, city, state_province, country, zip, continent, phone, major_city, faves, comments) 
values ('$date', '$first_name', '$last_name', '$birth_year', '$email', '$address', '$city', '$state_province', '$country', '$zip', '$continent', '$phone', '$major_city', '$faves', '$comments')";

$res = mysql_query($sql,$dbh);
	if (!$res) {
	echo mysql_errno().": ".mysql_error ()."";
	return 0;
	}

	echo "<span class="confirmation">Success!</span><br><br>You are now a member of the Street Team."; }
?>
I originally had "stripslashes" instead of "addslashes" but it was giving me an error message such as "There is an error in your SQL syntax near..." followed by the first instance of some information containing an apostrophe. So, does anyone know how to fix this problem?
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Its because you use addslashes which adds a slash in front of all apostophes. You should be ok to leave them there if your adding the data to a database - as it will remove them (as its just to escape the character). If you want to print the variable then use stripslashes before you echo it.
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Post by furiousweebee »

So basically I can remove the "addslashes" part of my code above, and then when I go to display or use the information in some way later, I use stripslashes to remove any slashes?
leenoble_uk
Forum Contributor
Posts: 108
Joined: Fri May 03, 2002 10:33 am
Location: Cheshire
Contact:

Post by leenoble_uk »

Don't forget to HTMLENTITIESise these variables if you are later echoing them into form elements, otherwise the apostrophe may finish the value part of your input tag.

Code: Select all

<?php
$lastname = "O'Rourke";
echo "<input type='text' name='lastname' value='$lastname'/>";
?>
would fail to output properly. You would need to add:

Code: Select all

<?php
$lastname = htmlentities($lastname, ENT_QUOTES);
?>
before echoing the input tag. This isn't necessary for just outputting as text though. Alternatively make sure you use double quote marks in the input tag.
furiousweebee
Forum Commoner
Posts: 69
Joined: Sun Jul 11, 2004 7:38 am
Location: Brisbane, Australia
Contact:

Post by furiousweebee »

Okie dokie, it's working now (not putting slashes into my data), so thanks for your help. I'm learning a lot from you guys (albeit slowly :P) so I appreciate it.
Post Reply