stripslashes


#1

stripslashes was working just fine till the server upgraded from PHP 5.2 to 5.4. When I add an apostrophe in the field named “Salary” so for an example O’Brien, this is the message sent back to the browser:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘s’, ‘]’)’ at line 3

Here is my PHP below. I’m completely stumped. I hope somebody can help.

The first script is the input page and the 2nd script is the output where I get the error message

[php]<?
//start a session
session_start();

//validate user to see if they are allowed to be here
if ($_SESSION[valid] != "yes") {
	header("Location: http://www.localhost/orion/contact_menu.php");
	exit;
}
?> 
<html>

<head>
<title>Yacht Job Orders Management System</title>
</head>
<body>
<h1>Yacht Job Orders Management System</h1>
<h2><em>Add a Yacht</em></h2>
<form method="post" action="do_addcontact4.php">
<table cellspacing=3 cellpadding=3>
<tr>
<td valign=top>

		
<table cellspacing=3 cellpadding=5 id="table1">
<tr>
<th>POSITION INFO</th>
<th>CONTACT INFO</th>
</tr>
<tr>
<td valign=top>
<strong>Position Needed:</strong><br>
<input type="text" name="position" size=35 maxlength=50>
<p><strong>Salary:</strong><br>
<input type="text" name="salary" size=35 maxlength=10></p>

<p><strong>Start Date:</strong><br>
<input type="text" name="startdate" size=35 maxlength=10><br>
<i><font size="2">The above field must be filled out <br>in the following format: YYYY-MM-DD</br></font></i></p>

</td>
</tr>
</table>

[/php]
And here’s the 2nd script where there is echo stripslashes:

[code]
[php]<?
$db_name = “database”;
$table_name = “new_joborders”;
$connection = @mysql_connect(“localhost”, “database”, “password”)

or die(mysql_error());

$db = @mysql_select_db($db_name, $connection) or die(mysql_error());
$sql = “INSERT INTO $table_name
(id, position, salary, startdate) VALUES
(’’, ‘$_POST[position]’, ‘$_POST[salary]’, ‘$_POST[startdate]]’)”;
$result = @mysql_query($sql,$connection) or die(mysql_error());
?>

Yacht Job Orders Management System: Contact Added

Yacht Job Orders Management System

Add a Contact - Yacht Added

The following information was successfully added to database

POSITION INFO CONTACT INFO
Position Needed:
<? echo stripslashes($_POST[position]); ?> Salary:
<? echo "$_POST[salary]"; ?>

Start Date:
<? echo "$_POST[startdate]"; ?>
YYYY-DD-MM

[/code][/php]

#2


#3

Are you aware 5.4 is 6 years old? I’d highly recommend updating to a newer PHP version.

[php]<?[/php]
Short tags are no longer supported (shorthand echoes still work)

[php] $connection = @mysql_connect(“localhost”, “database”, “password”)[/php]
Ignoring (silenting with @) errors is very bad practice. The mysql_* functions have been removed from newer PHP versions. It was replaced by PDO and Mysqli 12-13 years ago. They both offer a real way to avoid sql injections hacks with prepared and parameterized queries. No more escaping strings! You should definitely change!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's', ']')' at line 3

This will no longer be an issue if you use prepared/parameterized queries as your queries will no longer be a jumbled mess of quotes.

[hr]

Your code is vulnerable to sql injection and xss hacks. I’d highly advise doing some work with this as I assume it’s a live site/system.


#4

So are you saying I should use <?php instead of just <?

Also, should I have my sql connection in an includes directory? Thanks so much for your help. Also, I still don’t understand why a simple striplashes funchion in my echo statement doesn’t escape the apostrophe as it did before in this simple code below

[code]Position Needed:

<? echo stripslashes($_POST[position]); ?>/code][/code]

#5

strip slashes shouldn’t be used anyway. Parameterized statements are what you want to use. stripslashes does what it says as well, it removes the slash not add them.


#6

[code]I’ll certainly read up on it, but is there any way you can give me an example implementing my script?

); ?></p>

#7

[urlhttp://php.net/manual/en/function.htmlentities.php]htmlentities()[/url] is what you want when printing user provided data.