i know it sucks. can anyone help me.
im actually trying to let th apostrophe be okay heres the code its not working.
some mysql syntax shizz that ive googled this and all the answers i cannot understand anyone care to explain it to me or atleast tell me what to put. pleaaaaaaase.

$height = preg_replace("/[^a-z,. \'\-\d]/i", "", $height);

is not working....
so what do i do?

If you want to add the apostrophe then try this:

preg_replace("/[^`a-z,. \'\-\d]/i", "", $height)

Well what seems to be the problem because when I try the following code the apostrophie is allowed:

<?
$height='aA1`';
echo preg_replace("/[^`a-z,. \'\-\d]/i", "", $height);
?>

Two other options are as follows:

$height='aA1`';
echo preg_replace("/[^\`a-z,. \'\-\d]/i", "", $height);
$height='aA1`';
$height=str_replace(array('?','`'),array('','?'),$height);
$height=preg_replace("/[^\?a-z,. \'\-\d]/i", "", $height);
echo str_replace('?','`',$height);

ok. it started to work for me for some reason... BUT. if i allow apostrophes...
i get a mysql syntax error if i enter an apostrophe in the form
i dont understand do i have to add slashes or something ? cause theres an error on line one.. blah blah but it starts right where the apostrophe is inserted into the database... it doesnt work cause of the syntax error.
the apostrophe is bad to let people use OR do i have to do something like add slashes to let the apostophe work and not disrupt the rest of the strings ect...

Probably because your not using the mysql_real_escape_string() function to escape your mysql strings. For security reasons you should allways escape mysql query's. Below is an example:

$height='aA1`';
$value=preg_replace("/[^\`a-z,. \'\-\d]/i", "", $height);
$value=mysql_real_escape_string($value);
mysql_query("INSERT INTO `table` SET `column`='$value'") or die(mysql_error());

Probably because your not using the mysql_real_escape_string() function to escape your mysql strings. For security reasons you should allways escape mysql query's. Below is an example:

$height='aA1`';
$value=preg_replace("/[^\`a-z,. \'\-\d]/i", "", $height);
$value=mysql_real_escape_string($value);
mysql_query("INSERT INTO `table` SET `column`='$value'") or die(mysql_error());

ok i am using mysql real escape strunng function im using it but i did it before the preg replace. so its supposed to go after and then itwill work?

The mysql_real_escape_string() will need to be the last change to the variable before entering the mysql query because it adds some slashes before characters such as the apostrophie, quotation marks etc. So when the mysql_real_escape_string() is used then that variable generally can then only be used in a mysql query and nothing more and it is important that you use mysql_real_escape_string() all the time for security and debugging reasons.

The mysql_real_escape_string() will need to be the last change to the variable before entering the mysql query because it adds some slashes before characters such as the apostrophie, quotation marks etc. So when the mysql_real_escape_string() is used then that variable generally can then only be used in a mysql query and nothing more and it is important that you use mysql_real_escape_string() all the time for security and debugging reasons.

thank you. should i even allow " quotation marks? or is that taking a big risk?

thank you. should i even allow " quotation marks? or is that taking a big risk?

Well in my opinion, the following script shows the best practise for stopping hackers from getting into your database as I have made an unbeatable function.

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
$height='aA1`';
mysql_query('INSERT INTO `table` SET `column`="'.sqlencrypt($height).'"');

And as for the question about what characters should be allowed, well generally all characters should be allowed into the database but is best if you convert quotes and < > tags. The < > tags are converted so that when you display the mysql query, no malicious code can be executed and instead the raw code will be displayed. Also the reason why convert the quotes - that is because then if the mysql_real_escape_string() function fails to escape there is no way the user can extend the mysql query. You may have also noticed that I used single quotes through the entire script instead of double quotes. That is because single quotes are believed to be slightly faster by a few microseconds and when so many are used the time of execution adds up. The main difference between single quotes and double quotes are that double quotes can contain "$var" and "\n\r" where as single quotes will display those literal characters instead of what they represent. So it is best to use single quotes when possible.

Well in my opinion, the following script shows the best practise for stopping hackers from getting into your database as I have made an unbeatable function.

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
$height='aA1`';
mysql_query('INSERT INTO `table` SET `column`="'.sqlencrypt($height).'"');

And as for the question about what characters should be allowed, well generally all characters should be allowed into the database but is best if you convert quotes and < > tags. The < > tags are converted so that when you display the mysql query, no malicious code can be executed and instead the raw code will be displayed. Also the reason why convert the quotes - that is because then if the mysql_real_escape_string() function fails to escape there is no way the user can extend the mysql query. You may have also noticed that I used single quotes through the entire script instead of double quotes. That is because single quotes are believed to be slightly faster by a few microseconds and when so many are used the time of execution adds up. The main difference between single quotes and double quotes are that double quotes can contain "$var" and "\n\r" where as single quotes will display those literal characters instead of what they represent. So it is best to use single quotes when possible.

nice function but what is the Aa1 thing? and what is converting "quotes and <> things how do u convert? i dont understand

The Aa1` thing is just random data to be inserted.
Also the htmlentities($var, ENT_QUOTES) converts the quotes and < > tags. All of the conversion techniques I have placed into a custom function called sqlencrypt which returns the result. And the best performance usage I have specified in the previous post.

The Aa1` thing is just random data to be inserted.
Also the htmlentities($var, ENT_QUOTES) converts the quotes and < > tags. All of the conversion techniques I have placed into a custom function called sqlencrypt which returns the result. And the best performance usage I have specified in the previous post.

wait so i dont have to change the Aa1 part or anything i can just sticking the variable?

Well the only real changes to be made in the script is the variable $height and what is in the mysql query. So that you can compare, below is another example of the same type thing:

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
$variable='This is a test.';
mysql_query('SELECT * FROM `stringtable` WHERE `string`="'.sqlencrypt($variable).'"');

Well the only real changes to be made in the script is the variable $height and what is in the mysql query. So that you can compare, below is another example of the same type thing:

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
$variable='This is a test.';
mysql_query('SELECT * FROM `stringtable` WHERE `string`="'.sqlencrypt($variable).'"');

oh ok so i wouldnt define the caribale like that id use $_POST[varibale] = $variable and do that before the mysql and that is for using rform submitions? right?

If you are doing $_POST then I have found that the php default settings for slashes are a bit messy and another function needs to be used. So below is an example that only applies for $_POST.

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
$variable=stripslashes($_POST['variable']);
mysql_query('SELECT * FROM `stringtable` WHERE `string`="'.sqlencrypt($variable).'"');

However a more professional way is as follows:

function sqlencrypt($var) {
    return mysql_real_escape_string(htmlentities($var, ENT_QUOTES));
    }
mysql_query('SELECT * FROM `stringtable` WHERE `string`="'.sqlencrypt(stripslashes($_POST['variable'])).'"');

I hope that doesn't confuse you too much because with the $_POST array, by default the quotation marks are automatically escaped and extra slashes are recorded into the database if not removed.

ok that makes sense to me. but i can still use the update table mysql command right?

This article has been dead for over six months. Start a new discussion instead.