addslashes not working as expected

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
rockie12
Forum Newbie
Posts: 1
Joined: Mon Jul 16, 2007 9:18 pm

addslashes not working as expected

Post by rockie12 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I want to insert data into a mysql database... so I used the addslashes($_POST['somefield'])   but it is putting a slash and single quote at the start and the end of my variables, so that when I string them together, my insert statement does not work... here is what I am getting...

Thanks in advance for your assistance.
Dean-O

[syntax="sql"]insert into epc_calendar (title, category, descr, startTime, startAP, endTime, endAP, month, day, year, eventLength, dayOfWeek) values = ( '\'this is \"a test\" for o\'donnel\'' ,'\'Academic\'' , '\'dtsfe\'' , ':\'00\'' , '\'AM\'' , ':\'00\'' , '\'AM\'' , '\'7\'' , '\'14\'' , '\'2007\'' , '\'1\'' , '\'Sunday\'' )

here is how I am building my sql string[/syntax]

Code: Select all

$sql = "insert into calendar (title, category, descr, startTime, startAP, endTime,  endAP, month, day, year, eventLength, dayOfWeek) "."values = (   '$title' ,'$category' , '$descr' , '$startHour".":"."$startMinutes' , '$startAP' , '$endHour".":"."$endMinutes' , '$endAP' , '$month' , '$day' , '$year' , '$eventLength' , '$dayOfWeek'   )";

and the variables are all set using

Code: Select all

if (!get_magic_quotes_gpc()) {
    $title = addslashes(fix_null($_POST['title']));
	$category = addslashes(strip_tags(fix_null($_POST['category'])));
$descr = addslashes(strip_tags(fix_null($_POST['descr'])));
$startHour = addslashes(strip_tags(fix_null($_POST['startHour'])));
$startMinutes = addslashes(strip_tags(fix_null($_POST['startMinutes'])));
$startAP = addslashes(strip_tags(fix_null($_POST['startAP'])));
$endHour = addslashes(strip_tags(fix_null($_POST['endHour'])));
$endMinutes = addslashes(strip_tags(fix_null($_POST['endMinutes'])));
$endAP = addslashes(strip_tags(fix_null($_POST['endAP'])));
$month = addslashes(strip_tags(fix_null($_POST['month'])));
$day = addslashes(strip_tags(fix_null($_POST['day'])));
$year = addslashes(strip_tags(fix_null($_POST['year'])));
$eventLength = addslashes(strip_tags(fix_null($_POST['eventLength'])));
$dayOfWeek = addslashes(strip_tags(fix_null($_POST['dayOfWeek'])));
} else {
    $title = fix_null($_POST['title']);
	$category = fix_null($_POST['category']);
$descr = fix_null($_POST['descr']);
$startHour = fix_null($_POST['startHour']);
$startMinutes = fix_null($_POST['startMinutes']);
$startAP = fix_null($_POST['startAP']);
$endHour = fix_null($_POST['endHour']);
$endMinutes = fix_null($_POST['endMinutes']);
$endAP = fix_null($_POST['endAP']);
$month = fix_null($_POST['month']);
$day = fix_null($_POST['day']);
$year = fix_null($_POST['year']);
$eventLength = fix_null($_POST['eventLength']);
$dayOfWeek = fix_null($_POST['dayOfWeek']);
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

get rid of the addslashes and just do:

Code: Select all

$sql = "query goes here";
$sql = mysql_real_escape_string($sql);
....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

tecktalkcm0391 wrote:get rid of the addslashes and just do:

Code: Select all

$sql = "query goes here";
$sql = mysql_real_escape_string($sql);
....
Escaping the constructed SQL string won't help.

Each value will need to go through mysql_real_escape_string().

fix_null() appears to be the culprit, actually.
Post Reply