Page 1 of 1

Removing Slashes In Forms

Posted: Thu Jul 15, 2004 5:20 am
by furiousweebee
I'll keep this simple. ;)

I have a form that submits data from the form fields into a MySQL database. People's names may contain an apostrophe so when they enter that, I want it to store the result just like any other. At the moment, my script puts a slash in front of the apostrophe when it stores it. Here's my code:

Code: Select all

<?php
$date=date("d-m-Y");
$database_name = "my_database";
$dbh = mysql_connect("localhost","username","password");
if (!mysql_select_db($database_name)) {
  echo "Unable to select "$database_name" database";
}

$first_name	= ltrim(rtrim(strip_tags(addslashes($_POST['first_name']))));
$last_name	= ltrim(rtrim(strip_tags(addslashes($_POST['last_name']))));
$birth_year	= ltrim(rtrim(strip_tags(addslashes($_POST['birth_year']))));
$email		= ltrim(rtrim(strip_tags(addslashes($_POST['email']))));
$address		= ltrim(rtrim(strip_tags(addslashes($_POST['address']))));
$city		= ltrim(rtrim(strip_tags(addslashes($_POST['city']))));
$state_province	= ltrim(rtrim(strip_tags(addslashes($_POST['state_province']))));
$country		= ltrim(rtrim(strip_tags(addslashes($_POST['country']))));
$zip		= ltrim(rtrim(strip_tags(addslashes($_POST['zip']))));
$continent		= ltrim(rtrim(strip_tags(addslashes($_POST['continent']))));
$phone		= ltrim(rtrim(strip_tags(addslashes($_POST['phone']))));
$major_city	= ltrim(rtrim(strip_tags(addslashes($_POST['major_city']))));
$faves		= ltrim(rtrim(strip_tags(addslashes($_POST['faves']))));
$comments	= ltrim(rtrim(strip_tags(addslashes($_POST['comments']))));

// VALIDATION
if(empty($first_name) || empty($last_name) || empty($email) || empty($address) || empty($city) || empty($country) || empty($zip) || empty($continent)) {

echo "<span class="error">Error!</span><br><br>You have not filled in all the required fields.<br><br><a href="javascript:history.go(-1)">Click here to go back to the form.</a>";
}

elseif(!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {

echo "<span class="error">Error!</span><br><br>The email address you have entered is invalid.<br><br><a href="javascript:history.go(-1)">Click here to go back to the form.</a>";
}
else {

$sql = "insert into street_team (date, first_name, last_name, birth_year, email, address, city, state_province, country, zip, continent, phone, major_city, faves, comments) 
values ('$date', '$first_name', '$last_name', '$birth_year', '$email', '$address', '$city', '$state_province', '$country', '$zip', '$continent', '$phone', '$major_city', '$faves', '$comments')";

$res = mysql_query($sql,$dbh);
	if (!$res) {
	echo mysql_errno().": ".mysql_error ()."";
	return 0;
	}

	echo "<span class="confirmation">Success!</span><br><br>You are now a member of the Street Team."; }
?>
I originally had "stripslashes" instead of "addslashes" but it was giving me an error message such as "There is an error in your SQL syntax near..." followed by the first instance of some information containing an apostrophe. So, does anyone know how to fix this problem?

Posted: Thu Jul 15, 2004 5:39 am
by kettle_drum
Its because you use addslashes which adds a slash in front of all apostophes. You should be ok to leave them there if your adding the data to a database - as it will remove them (as its just to escape the character). If you want to print the variable then use stripslashes before you echo it.

Posted: Thu Jul 15, 2004 5:49 am
by furiousweebee
So basically I can remove the "addslashes" part of my code above, and then when I go to display or use the information in some way later, I use stripslashes to remove any slashes?

Posted: Thu Jul 15, 2004 5:59 am
by leenoble_uk
Don't forget to HTMLENTITIESise these variables if you are later echoing them into form elements, otherwise the apostrophe may finish the value part of your input tag.

Code: Select all

<?php
$lastname = "O'Rourke";
echo "<input type='text' name='lastname' value='$lastname'/>";
?>
would fail to output properly. You would need to add:

Code: Select all

<?php
$lastname = htmlentities($lastname, ENT_QUOTES);
?>
before echoing the input tag. This isn't necessary for just outputting as text though. Alternatively make sure you use double quote marks in the input tag.

Posted: Thu Jul 15, 2004 6:15 am
by furiousweebee
Okie dokie, it's working now (not putting slashes into my data), so thanks for your help. I'm learning a lot from you guys (albeit slowly :P) so I appreciate it.