Data filtering

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
stebut05
Forum Commoner
Posts: 35
Joined: Wed Sep 21, 2005 9:29 am
Location: Liverpool, UK

Data filtering

Post by stebut05 »

Hi all,

Hope someone could please help me. I have built a small site with shopping cart. When a user adds items and enters personal details all the information is filtered and stored into temp tables in a db. Then the user is directed to payment processing provider, if the transaction is successful the user is redirected back to a complete page. On this page a query is performed temp tables and the details are inserted into permanent tables. However, the data seems to be unclean as if there are any characters such as ' in the records the permanent table will not accept them and an error happens. I thought that once the data was cleaned for the temp and then inserted into the permanent table it would not need to be cleaned, could you tell me if this is correct?

The query for temp table and data insert for permanent table is below.

Code: Select all

$query4 = "SELECT * FROM Temp_Shipping where shipping_id = '$sessid'";
		$results4 = mysql_query($query4) or die(mysql_error());
		
		
		while ($rows4 = mysql_fetch_array($results4))	{
		extract($rows4);
		
		$insert4 = ("INSERT INTO Shipping (order_id, s_company, s_building, s_address_line_one, s_address_line_two, s_city,
						s_county, s_country, s_post_code, s_telephone, s_mobile, s_fax, s_comments, s_items)
  					VALUES (
					'$new_order_id',
					'$s_company',
					'$s_building',
					'$s_address_line_one',
					'$s_address_line_two',
					'$s_city',
					'$s_county',
					'$s_country',
					'$s_post_code',
					'$s_telephone',
					'$s_mobile',
					'$s_fax',
					'$s_comments',
					'$s_items')");
                       
					  
  		$Result4 = mysql_query($insert4) or die(mysql_error());

}


Is the way of cleaning the data in this code? i would really apprciate any help, suggestions etc and thanks in advance

Kind regards,

Steven
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

mysql_real_escape_string() before inserting into DB

htmlentities() when 'echoing'
stebut05
Forum Commoner
Posts: 35
Joined: Wed Sep 21, 2005 9:29 am
Location: Liverpool, UK

Post by stebut05 »

Hi jenk,

Thanks for your help, i am quite new to this. Where would i put what you suggested into query. Thanks gain for your help

Regards,

Steven
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

$insert4 = ("INSERT INTO Shipping (order_id, s_company, s_building, s_address_line_one, s_address_line_two, s_city,
                        s_county, s_country, s_post_code, s_telephone, s_mobile, s_fax, s_comments, s_items)
                      VALUES (
                    '".mysql_real_escape_string($new_order_id)."',
                    '".mysql_real_escape_string($s_company)."'");

                  //........ etc etc
stebut05
Forum Commoner
Posts: 35
Joined: Wed Sep 21, 2005 9:29 am
Location: Liverpool, UK

Post by stebut05 »

Hi,

I have done the above, but still getting errors beacause of odd characters.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Lane', 'Liverpool', '..', '.', 'GBR',

any ideas?

Kind Regards,

Steven
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

please post your code
stebut05
Forum Commoner
Posts: 35
Joined: Wed Sep 21, 2005 9:29 am
Location: Liverpool, UK

Post by stebut05 »

Hi, sorry it helps if i upload correct file......stress!!!! Thanks for all your help, now resolved. Thanks
Post Reply