Jump to content
Larry Ullman's Book Forums

Escaping Apostrophes In A Textarea


Recommended Posts

I have form for posting messages to my forum for collecting pithy quotations, If users include an apostrophe the post fails with an error message. The error handler is named process_post.php. Normally the handler works OK. It displays an error message if the message textarea is empty and it removes all HTML tags, however, an apostrophe such as he's or one's will trigger an error message.


The process_post.php code is as follows:
<?php
// Start the session.
session_start();
// Include the login functions to check for errors
require ( 'login_functions.php' ) ;
// If users are not logged in, redirect them
if ( !isset( $_SESSION[ 'member_id' ] ) ) { load('login.php') ; }
// Has the form been submitted?
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    require ( 'mysqli_connect.php' ) ;
// Check that the user has entered a message (the subject is commented out as it is supplied by a drop down selection.
//  if ( empty($_POST['subject'] ) ) { echo '<p>You forgot to enter a subject.</p>'; }
  if ( empty($_POST['message'] ) ) { echo '<p>You forgot to enter a message.</p>'; }
   if ( !empty( $_POST['message'] ) ){
   $message = mysqli_real_escape_string( $dbcon, strip_tags(trim( $_POST['message'] )) ) ;
  }
// If successful insert the post into the database table
//Make the insert query
    $q = "INSERT INTO forum(uname, subject, message, post_date)
          VALUES ('{$_SESSION['uname']}', '{$_POST['subject']}','{$_POST['message']}',NOW() )";
    $result = mysqli_query ( $dbcon, $q ) ;
    // If it fails display error message
    if (mysqli_affected_rows($dbcon) != 1) { echo '<p>Error</p>'.mysqli_error($dbcon); } else { load('forum.php'); }
    // Close the database connection
    mysqli_close( $dbcon ) ;
    }
// Create a link back to the forum page.
echo '<p><a href="forum.php">Forum</a>' ;
include ( 'includes/footer.php' ) ;
?>    
Please can you tell me how can I tweak the process post file so that apostrophes are escaped.
(no JavaScript please)

The relevant bit of code in the post.php page is as follows:
<?php // The form for posting messages
include ( 'includes/header_post.php' ) ;
echo '<h2>Post a Quotation</h2>';
require ('process_post.php');
// Display the form fields
echo '<form action="process_post.php" method="post" accept-charset="utf-8">
<p>Choose the Subject: <select name="subject">
<option value="Comical Quotes">Comical Quotes</option>
<option value="Wise Quotes">Wise Quotes</option>
</select></p>
<p>Message:<br><textarea name="message" rows="5" cols="50"></textarea></p>
<p><input name="submit" type="submit" value="Post"></p></form>';
include ( 'includes/footer.php' ) ;
?>

The process_post.php code is as follows:
<?php 
// Start the session.
session_start();
// Include the login functions to check for errors
require ( 'login_functions.php' ) ;
// If users are not logged in, redirect them
if ( !isset( $_SESSION[ 'member_id' ] ) ) { load('login.php') ; }
// Has the form been submitted?
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    require ( 'mysqli_connect.php' ) ;
// Check that the user has entered a message (the subject is commented out as it is supplied by a drop down selection.
//  if ( empty($_POST['subject'] ) ) { echo '<p>You forgot to enter a subject.</p>'; }
  if ( empty($_POST['message'] ) ) { echo '<p>You forgot to enter a message.</p>'; }
   if ( !empty( $_POST['message'] ) ){
   $message = mysqli_real_escape_string( $dbcon, strip_tags(trim( $_POST['message'] )) ) ; 
  }
// If successful insert the post into the database table
//Make the insert query
    $q = "INSERT INTO forum(uname, subject, message, post_date) 
          VALUES ('{$_SESSION['uname']}', '{$_POST['subject']}','{$_POST['message']}',NOW() )";
    $result = mysqli_query ( $dbcon, $q ) ;
    // If it fails display error message
    if (mysqli_affected_rows($dbcon) != 1) { echo '<p>Error</p>'.mysqli_error($dbcon); } else { load('forum.php'); }
    // Close the database connection
    mysqli_close( $dbcon ) ; 
    }
// Create a link back to the forum page.
echo '<p><a href="forum.php">Forum</a>' ;
include ( 'includes/footer.php' ) ;
?>    
Please can you tell me how can I tweak the process post file so that apostrophes are escaped.
(no JavaScript please)
Link to comment
Share on other sites

You will want to apply stripslashes() before running the data through mysqli_real_escape_string.

$message = mysqli_real_escape_string($dbc, stripslashes(strip_tags(trim($_POST['message']))) ) ;

Your query currently is inserting the message directly from the global $_POST, I think you want to change your query to

 $q = "INSERT INTO forum(uname, subject, message, post_date) 
          VALUES ('{$_SESSION['uname']}', '{$_POST['subject']}','$message',NOW() )";

If the apostrophes are still being escaped, check whether magic quotes is enabled.

  • Upvote 1
Link to comment
Share on other sites

Many thanks Margaux, your solution solved the problem although stripslashes resulted in an error message, When that was removed the query worked well. I think that was because the most recent versions of MySql and PHP have deprecated it as it is now included in the function mysqili_real_escape_string.

 

Is there a way of including in my code a filter for removing website URLs? . Sometimes malevolent persons enter the URL for a dodgy website.

The working version of my query is currently as follws:

if ( !empty( $_POST['message'])) 
{ 
$message = mysqli_real_escape_string( $dbcon, strip_tags(trim( $_POST['message'] )) ) ;
}
// If successful inset the post into the database table
if( !empty($_POST['subject']) && !empty($_POST['message']) )
{
//Make the insert query
$q = "INSERT INTO forum(uname, subject, message, post_date) 
VALUES ('{$_SESSION['uname']}', '{$_POST['subject']}','$message',NOW() )";
$result = mysqli_query ( $dbcon, $q ) ;

.

Link to comment
Share on other sites

Thank you Hartley San

I looked at the link you suggested but the solutions were too advanced for me.
I was thinking of a simplistic sledge hammer approach something like this:

I would state clearly on the posting form that entering URLs in the message textarea is not permitted and that entering a URL will cause the script to stop and load a page containing an error message.
That approach means that anyone ignoring the instruction is up to no good.
In other words I don't really want to clean up the message, I want to reject the whole message and quit the script.

I was thinking along the lines of using something like this:


header("location: errorpage.html" ) ;
exit ; }

However, I am not sure how to fit this into my code in the file process_post.php which is given in my last meassage.

Link to comment
Share on other sites

 Share

×
×
  • Create New...