Databases
StackOverflow2013
Postsdbo
POclean_string function too aggressive
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POclean_string function too aggressive
    primarykey
    data
    text
    <p>I have a clean_string function being applied to text entries in my application, but I fear it is being too aggressive. Submitting text with single or double quotes to the database results in it printing out odd characters.</p> <p><strong>clean_string function</strong></p> <pre><code>&lt;?php /* ini_set('display_errors', 1); error_reporting(E_ALL); */ function clean_string($string) { $string = trim($string); $string = utf8_decode($string); $string = str_replace("#", "&amp;#35", $string); $string = str_replace("%", "&amp;#37", $string); if (mysql_real_escape_string($string)) { $string = mysql_real_escape_string($string); } if (get_magic_quotes_gpc()) { $string = stripslashes($string); } return htmlentities($string); } ?&gt; </code></pre> <p>Entering text such as "Hello" or 'world' into text fields results in the following: <img src="https://i.stack.imgur.com/bhfbN.png" alt="Aggressive clean_string"></p> <p>The clean_string function is being called as follows:</p> <pre><code>//Clean if ($submit == 'Submit') { $submit = clean_string($_POST['submit']); require_once("db_connect.php"); $watchlist_name = clean_string($_POST['watchlist-name']); $watchlist_description = clean_string($_POST['watchlist-description']); $watchlist_category = $_POST['watchlist-category']; $existing_watchlist_name = clean_string($_POST['existing-watchlist']); $addWatchlist_bad_message = ''; $addWatchlist_good_message = ''; if ($db_server) { // Add new Watchlisth if (!empty($watchlist_name)) { $watchlist_name = clean_string($watchlist_name); $watchlist_description = clean_string($watchlist_description); mysql_select_db($db_database); // Create new Watchlist $insert_new_watchlist = "INSERT INTO watchlists (user_id, name, description, category) VALUES ('$user_id', '$watchlist_name', '$watchlist_description', '$watchlist_category')"; mysql_query($insert_new_watchlist) or die("Insert failed. " . mysql_error() . "&lt;br /&gt;" . $insert_new_watchlist); // Insert film into new Watchlist $add_new_film = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES (" . mysql_insert_id() .", '$rt_id')"; mysql_query($add_new_film) or die("Insert failed. " . mysql_error() . "&lt;br /&gt;" . $add_new_film); $addWatchlist_good_message = '&lt;div class="alert alert-success"&gt;Watchlist created successfully, and film added!&lt;/div&gt;';?&gt; &lt;script&gt; $('a.add-watchlist').trigger('click'); &lt;/script&gt;&lt;?php } else if (!empty($existing_watchlist_name)) { mysql_select_db($db_database); // Select existing Watchlist $existing_watchlist_select = "SELECT watchlist_id FROM watchlists WHERE name = '$existing_watchlist_name'"; $existing_watchlist_select_result = mysql_query($existing_watchlist_select); $existing_watchlist_id = mysql_result($existing_watchlist_select_result, 0); // Add film to existing Watchlist $insert_into_existing = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES ('$existing_watchlist_id', '$rt_id')"; mysql_query($insert_into_existing) or die("Insert failed. " . mysql_error() . "&lt;br /&gt;" . $insert_into_existing); $addWatchlist_good_message = '&lt;div class="alert alert-success"&gt;Film successfully added to existing Watchlist!&lt;/div&gt;';?&gt; &lt;script&gt; $('a.add-watchlist').trigger('click'); &lt;/script&gt;&lt;?php } } else { $addWatchlist_bad_message = '&lt;div class="alert alert-error"&gt;Error: could not connect to the database.&lt;/div.';?&gt; &lt;script&gt; $('a.add-watchlist').trigger('click'); &lt;/script&gt;&lt;?php } require_once("db_close.php"); } </code></pre>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USAlex Ryans
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. COIf you switch to PDO or the mysqli_* stack these problems virtually disappear. You don't need to worry about sql injection because the functions handle it automatically. Just my advice. I would take a look at http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
      singulars
      1. POclean_string function too aggressive
      1. USAlex
    2. CO@Alex Thanks for your advice but my project is to be submitted soon and I really don't have the time or coding knowledge to overhaul the entire thing! I've heard a few times PDO or mysqli is better, but it's not something I'm in a position to implement at the minute, unfortunately. While I'd like to, as it seems to be a lot better, I've pretty much got to work with what I've got!
      singulars
      1. POclean_string function too aggressive
      1. USAlex Ryans
    3. COWell, I'm not 100% sure, but I never used clean_string when I worked with mysql. I always used mysql_real_escape_string and I can't remember having the issues that you're having. So try switching clean_string() with mysql_real_escape_string() and see if that solves it. If it doesn't let me know.
      singulars
      1. POclean_string function too aggressive
      1. USAlex
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload