FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Cannot insert data with single quote (Solved by Sonam)





bukaida
I am trying to insert a text file into the mysql 5.0 database through a php script. I am running it under Apache 2.2 with mysql 5.0 and php 5.1. The script is OK if the text inside the file does not have any single or double quote. But if there is any, it refuses to insert until the quote is removed. But I cannot change the content of the file like that because it will change the meaning. How to get around this--

Code:

<?php header("Content-Type: text/html; charset=UTF-8");?>
<?php
include 'connect.php';
  $title=$_POST['title'];
  $filename = $_FILES['file']['tmp_name'];
   if (($handle = fopen($filename, "rb"))) {
        $stream = fread($handle, filesize($filename));
        fclose($handle);
        unlink($_FILES['file']['tmp_name']);
        $type = $_FILES['file']['type'];
       
        echo('Title:'); echo $title;
        //echo('Content:'); echo $stream;
       
          $qstr = "INSERT INTO articles (body,title) VALUES ('$stream','$title')";
        $result=mysql_query($qstr)or die(mysql_error());
    }
   
 if($result){
echo'<font color="green" size=+2>Records inserted successfully</font>';
}

 ?>


Please help.
sonam
For mysql you need to use mysql_real_escape_string for preventing errors and injections. Try something like this below. I think it will work.

Code:
$stream = mysql_real_escape_string(fread($handle, filesize($filename)));


Sonam
bukaida
Thanx sonam, will give it a try and post the result here.
Fire Boar
With the original code, you could try entering the following into the title box for fun and profit:

'); DROP TABLE articles; --

You get the general idea.
bukaida
@Sonam
Thanx man, your solution worked like a breeze ( as usual ).

@Fire Boar

yeah, nice one. Fortunately I have gone through your cartoon link first Very Happy because the thing is having the word 'Drop table' . Smile
sonam
bukaida wrote:
@Sonam
Thanx man, your solution worked like a breeze ( as usual ).

@Fire Boar

yeah, nice one. Fortunately I have gone through your cartson link first Very Happy because the thing is having the word 'Drop table' . Smile


@bukaida
You are welcome. I am happy if I can help. Good luck. Very Happy

@Fire Boar
Ha, ha, this is nice way to learn how is important to protect from inserting any dangerous code in mysql syntax.

Sonam
Related topics
Build an online dictionary by PHP/MySQL
Database on Frihost site
[PHP] phpbb registration - add to other db
I got caught by the police! :(
insert data to mySQL database problem
how to insert data into mysql base from a web page
Windows XP SP3 comming soon
Unlocking Cellphones
cannot add data to mysql from PHP form
UTF-8 from MySQL to PHP
Time Cannot Exist 0.o
Responsive design
Pure Happiness, More than Pleasure
MySQL problem - Can't insert stuff in to database
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.