Page 1 of 1

Data filtering

Posted: Thu Dec 01, 2005 12:35 pm
by stebut05
Hi all,

Hope someone could please help me. I have built a small site with shopping cart. When a user adds items and enters personal details all the information is filtered and stored into temp tables in a db. Then the user is directed to payment processing provider, if the transaction is successful the user is redirected back to a complete page. On this page a query is performed temp tables and the details are inserted into permanent tables. However, the data seems to be unclean as if there are any characters such as ' in the records the permanent table will not accept them and an error happens. I thought that once the data was cleaned for the temp and then inserted into the permanent table it would not need to be cleaned, could you tell me if this is correct?

The query for temp table and data insert for permanent table is below.

Code: Select all

$query4 = "SELECT * FROM Temp_Shipping where shipping_id = '$sessid'";
		$results4 = mysql_query($query4) or die(mysql_error());
		
		
		while ($rows4 = mysql_fetch_array($results4))	{
		extract($rows4);
		
		$insert4 = ("INSERT INTO Shipping (order_id, s_company, s_building, s_address_line_one, s_address_line_two, s_city,
						s_county, s_country, s_post_code, s_telephone, s_mobile, s_fax, s_comments, s_items)
  					VALUES (
					'$new_order_id',
					'$s_company',
					'$s_building',
					'$s_address_line_one',
					'$s_address_line_two',
					'$s_city',
					'$s_county',
					'$s_country',
					'$s_post_code',
					'$s_telephone',
					'$s_mobile',
					'$s_fax',
					'$s_comments',
					'$s_items')");
                       
					  
  		$Result4 = mysql_query($insert4) or die(mysql_error());

}


Is the way of cleaning the data in this code? i would really apprciate any help, suggestions etc and thanks in advance

Kind regards,

Steven

Posted: Thu Dec 01, 2005 12:38 pm
by Jenk
mysql_real_escape_string() before inserting into DB

htmlentities() when 'echoing'

Posted: Thu Dec 01, 2005 12:41 pm
by stebut05
Hi jenk,

Thanks for your help, i am quite new to this. Where would i put what you suggested into query. Thanks gain for your help

Regards,

Steven

Posted: Thu Dec 01, 2005 12:43 pm
by John Cartwright

Code: Select all

$insert4 = ("INSERT INTO Shipping (order_id, s_company, s_building, s_address_line_one, s_address_line_two, s_city,
                        s_county, s_country, s_post_code, s_telephone, s_mobile, s_fax, s_comments, s_items)
                      VALUES (
                    '".mysql_real_escape_string($new_order_id)."',
                    '".mysql_real_escape_string($s_company)."'");

                  //........ etc etc

Posted: Thu Dec 01, 2005 1:52 pm
by stebut05
Hi,

I have done the above, but still getting errors beacause of odd characters.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Lane', 'Liverpool', '..', '.', 'GBR',

any ideas?

Kind Regards,

Steven

Posted: Thu Dec 01, 2005 1:54 pm
by John Cartwright
please post your code

Posted: Thu Dec 01, 2005 2:07 pm
by stebut05
Hi, sorry it helps if i upload correct file......stress!!!! Thanks for all your help, now resolved. Thanks