I need help with a php script

Hi, I’m not a programmer but had a programmer write a script for us for a website. The programmer has since disappeared and I was just told that I needed to add a mysql_escape_string or mysql_real_escape_string to the code. The problem is that when we add in an apostrophe into the text though an admin panel the mysql database crashes. I’m just not sure where exactly to enter this string. Thanks for any help you can give

Derek

You need to do more than that. You are using deprecated mysql. (Obsolete). You need to use PDO or Mysqli. I have provided a PDO database for download to get you started.

http://www.phphelp.com/forum/the-occasional-tutorial/beginners-pdo-bumpstart-code-use-it-now!

Hi, as I wrote I’m not a programmer and the mysql database is residing on a server that won’t upgrade their mysql so not sure this will help.
Thank you for any other thoughts about this

Derek

Post the code you have.

I think this is what needs to be changed.

<?php session_start(); if($_SESSION['username'] != "") { header('Location: hidden'); } if($_POST["mode"] == "INSERT") { /* $thumbnail_image = $_FILES['thumbnail']['name']; echo 'File info is ' . $_FILES['thumbnail']['name'] . ' And ' . $_FILES['thumbnail']['tmp_name']; print_r($_FILES); */ require("../includes/dbconnect.php"); $insert_str = "INSERT INTO mirror_photos "; $insert_str .= "(photo_name,figure_1,maker,subject,genre,process,dimensions,date,collection,thumbnail,thumbnail_width,"; $insert_str .= "thumbnail_height,medium_size,medium_width,medium_height,full_size,full_width,full_height,xl_size,status) "; $insert_str .= "VALUES ('" . $_POST['photo_name'] . "',"; $insert_str .= "'" . $_POST['figure_1'] . "',"; $insert_str .= "'" . $_POST['maker'] . "',"; $insert_str .= "'" . $_POST['subject'] . "',"; $insert_str .= "'" . $_POST['genre'] . "',"; $insert_str .= "'" . $_POST['process'] . "',"; $insert_str .= "'" . $_POST['dimensions'] . "',"; $insert_str .= "'" . $_POST['date'] . "',"; $insert_str .= "'" . $_POST['collection'] . "',"; $insert_str .= "'" . $_POST['thumbnail'] . "',"; $insert_str .= "'" . $_POST['thumbnail_width'] . "',"; $insert_str .= "'" . $_POST['thumbnail_height'] . "',"; $insert_str .= "'" . $_POST['medium_size'] . "',"; $insert_str .= "'" . $_POST['medium_width'] . "',"; $insert_str .= "'" . $_POST['medium_height'] . "',"; $insert_str .= "'" . $_POST['full_size'] . "',"; $insert_str .= "'" . $_POST['full_width'] . "',"; $insert_str .= "'" . $_POST['full_height'] . "',"; $insert_str .= "'" . $_POST['xl_size'] . "',"; $insert_str .= "'ACTIVE')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); $new_photo_id = mysql_insert_id(); $insert_str = "INSERT INTO factual_commentary (photo_id,commentary_body) VALUES "; $insert_str .= "(" . $new_photo_id . ",'" . str_replace("'", "\'", $_POST['factual_commentary']) . "')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); if(strlen($_POST["interpretive_commentary_1"]) > 0) { $insert_str = "INSERT INTO interpretive_commentary (photo_id,commentary_body) VALUES "; $insert_str .= "(" . $new_photo_id . ",'" . str_replace("'", "\'", $_POST['interpretive_commentary_1']) . "')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); } if(strlen($_POST["interpretive_commentary_2"]) > 0) { $insert_str = "INSERT INTO interpretive_commentary (photo_id,commentary_body) VALUES "; $insert_str .= "(" . $new_photo_id . ",'" . str_replace("'", "\'", $_POST['interpretive_commentary_2']) . "')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); } if(strlen($_POST["interpretive_commentary_3"]) > 0) { $insert_str = "INSERT INTO interpretive_commentary (photo_id,commentary_body) VALUES "; $insert_str .= "(" . $new_photo_id . ",'" . str_replace("'", "\'", $_POST['interpretive_commentary_3']) . "')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); } if(strlen($_POST["interpretive_commentary_4"]) > 0) { $insert_str = "INSERT INTO interpretive_commentary (photo_id,commentary_body) VALUES "; $insert_str .= "(" . $new_photo_id . ",'" . str_replace("'", "\'", $_POST['interpretive_commentary_4']) . "')"; $result = mysql_query($insert_str) or die("
Invalid Record: $insert_str
" . mysql_error() . "".$result); } header('Location: http://www.mirrorofrace.org/admin/index.php'); } ?> Mirror Of Race - Administrator

Mirror of Race Administration

New Image Record

<TR><TD>Maker:</TD><TD><INPUT type="text" name="maker" size="20"></TD></TR> <TR><TD>Subject:</TD><TD><INPUT type="text" name="subject" size="20"></TD></TR> <TR><TD>Genre:</TD><TD><INPUT type="text" name="genre" size="20"></TD></TR> <TR><TD>Process:</TD><TD><INPUT type="text" name="process" size="20"></TD></TR> <TR><TD>Dimensions:</TD><TD><INPUT type="text" name="dimensions" size="20"></TD></TR> <TR><TD>Date:</TD><TD><INPUT type="text" name="date" size="20"></TD></TR> <TR><TD>Collection:</TD><TD><INPUT type="text" name="collection" size="20"></TD></TR> <TR><TD>&nbsp;</TD></TR> <TR><TD>Thumbnail Image:</TD><TD><INPUT type="text" name="thumbnail" size="20"></TD> <TD><INPUT TYPE="button" name="thumbnail_button"></TD></TR> <TR><TD>Thumbnail Width:</TD><TD><INPUT type="text" name="thumbnail_width" size="5"></TD></TR> <TR><TD>Thumbnail Height:</TD><TD><INPUT type="text" name="thumbnail_height" size="5"></TD></TR> <TR><TD>&nbsp;</TD></TR> <TR><TD>Medium Image:</TD><TD><INPUT type="text" name="medium_size" size="20"></TD> <TD><INPUT TYPE="button" name="medium_button"></TD></TR> <TR><TD>Medium Width:</TD><TD><INPUT type="text" name="medium_width" size="5"></TD></TR> <TR><TD>Medium Height:</TD><TD><INPUT type="text" name="medium_height" size="5"></TD></TR> <TR><TD>&nbsp;</TD></TR> <TR><TD>Full Image:</TD><TD><INPUT type="text" name="full_size" size="20"></TD> <TD><INPUT TYPE="button" name="full_button"></TD></TR> <TR><TD>Full Width:</TD><TD><INPUT type="text" name="full_width" size="5"></TD></TR> <TR><TD>Full Height:</TD><TD><INPUT type="text" name="full_height" size="5"></TD></TR> <TR><TD>&nbsp;</TD></TR> <TR><TD>XL Image:</TD><TD><INPUT type="text" name="xl_size" size="20"></TD></TR> </table> Photo Name: Image: </TABLE> Factual Commentary: Interpretive Commentary #1: Interpretive Commentary #2: Interpretive Commentary #3: Interpretive Commentary #4: Thank you

Hi, still trying to get help with this issue if anyone can help I would appreciate it. I was in touch with my server this morning and they say that “PDO and MYSQLi PHP modules they both are provided on all our servers by default” however today when adding some info into the admin panel I had an apostrophe in a date, 1860’s which caused the database to throw an error.

Thanks anyone

You need to change all the queries from mysql_* to mysqli or pdo. And you need to bind all input variables to the query instead of concatenating it directly into the query.

If you are interested in doing this yourself you do need to spend some time learning this (with any programming experience you should get your head around it in a few hours). If you don’t then you should hire help, as it’s pretty basic security stuff that absolutely should be properly in place.

I sent you a private message.