' " \

[es131245]

Im learning MySql so ive madea database with a 'test' table my php page (for web browser) has 4 tables for practisingFirst table is 'INSERT' has 4 rows and a submit button called '+' its INSERT data into tableSecond is "Get' table is for getting info out from table3rd is table with shows whole database 'test' table4th is 'Get' table which i use for searching results The problem is in symbolsDataBase Stores data fine but when I 'INSERT' any or those symbols strange stuff apear' " \For exampleWhen i INSERT any of those symbols after index.php?act=test i get other onesfor ' i get \' and \\'for " i get \ and then \\and for \ i get \\ and then \\\\ and so on....DataBase stores \ as NULL value but when i search for \ i get rows where value=NULL but ive inserted \ value...Whats going on????????????????????????if ($_GET["act"]=="test"){echo "<form action=\"index.php?act=test\" method=\"post\"><table border=\"1\" cellpadding=\"2\" cellspacing=\"0\" align=\"center\" style=\"border:1px solid green; border-collapse:collapse; text-align:center;\"><tr><td width=\"80%\">L<input type=\"text\" name=\"L\"></td></tr><tr><td>N<input type=\"text\" name=\"N\"></td></tr><tr><td>P<input type=\"text\" name=\"P\"></td></tr><tr><td>E<input type=\"text\" name=\"E\"></td></tr><tr><td><center><input type=\"submit\" value=\"+\"></center></td></tr></table></form>";echo "<form action=\"index.php?act=test\" method=\"post\"><table border=\"1\" cellpadding=\"2\" cellspacing=\"0\" align=\"center\" style=\"border:1px solid green; border-collapse:collapse; text-align:center;\"><tr><td width=\"80%\">ID<input type=\"text\" name=\"ID\" value=\"$_POST[iD]\"></td></tr><tr><td>LG<input type=\"text\" name=\"LG\" value=\"$_POST[LG]\"></td></tr><tr><td>NK<input type=\"text\" name=\"NK\" value=\"$_POST[NK]\"></td></tr><tr><td>PS<input type=\"text\" name=\"PS\" value=\"$_POST[PS]\"></td></tr><tr><td>EM<input type=\"text\" name=\"EM\" value=\"$_POST[EM]\"></td></tr><tr><td><center><input type=\"submit\" value=\"GET\"></center></td></tr></table></form>";}$sql_c=mysql_connect("localhost","####","####") or die($sql_c_die);$sql_s=mysql_select_db("DB",$sql_c) or die($sql_s_die);if ($_POST["L"]!=""){$mysql_insert="INSERT INTO test (login,nick,psw,email) Values ('$_POST[L]','$_POST[N]','$_POST[P]','$_POST[E]');";mysql_query($mysql_insert,$sql_c);}echo "<h3>Test</h3>";echo "<table width=\"95%\" border=\"1\" style=\"text-align:center;\">";echo "<tr><td>ID</td><td>LOGIN</td><td>NICK</td><td>PSW</td><td>EMAIL</td></tr>";$query=mysql_query("SELECT * FROM test WHERE login LIKE '%';");while ($a_row=mysql_fetch_array($query)){echo "<tr>\n";echo "<td>".stripslashes($a_row['id'])."</td>"; echo "<td>".stripslashes($a_row['login'])."</td>";echo "<td>".stripslashes($a_row['nick'])."</td>"; echo "<td>".stripslashes($a_row['psw'])."</td>";echo "<td>".stripslashes($a_row['email'])."</td>"; echo "</tr>";}echo "</table>\n";if ($_POST["ID"]){$WAR=$_POST["ID"]; $CN="id";}if ($_POST["LG"]){$WAR=$_POST["LG"]; $CN="login";}if ($_POST["NK"]){$WAR=$_POST["NK"]; $CN="nick";}if ($_POST["PS"]){$WAR=$_POST["PS"]; $CN="psw";}if ($_POST["EM"]){$WAR=$_POST["EM"]; $CN="email";}$xrow=mysql_query("SELECT * FROM test WHERE $CN='$WAR';");if ($xrow){echo "<table width=\"95%\" border=\"1\" style=\"text-align:center;\">.<tr><td>ID</td><td>LOGIN</td><td>NICK</td><td>PSW</td><td>EMAIL</td></tr>";while($zrow=mysql_fetch_array($xrow)){echo "<tr><td>".stripslashes($zrow['id'])."</td><td>".stripslashes($zrow['login'])."</td><td>".stripslashes($zrow['nick'])."</td><td>".stripslashes($zrow['psw'])."</td><td>".stripslashes($zrow['email'])."</td></tr>";}echo "</tr></table>";$xrow=mysql_query("SELECT * FROM test WHERE $CN='$WAR';");while($zrow=mysql_fetch_array($xrow)){print stripslashes($zrow['id']);}}mysql_close($sql_c);

Edited July 7, 2009 by es131245

[justsomeguy]

Don't use values directly from $_POST or $_GET in SQL statements, among other things it's a security problem. When you get things from $_POST, first check if magic quotes is enabled and, if so, strip slashes from the input. Then use mysql_real_escape_string to escape the characters that need to be escaped in the query. That will insert the data correctly.http://www.php.net/manual/en/function.get-...-quotes-gpc.phphttp://www.php.net/manual/en/function.mysq...cape-string.php