1

This was resolved I am using $cleanName = addslashes($name); to put a slash in the name field where an apostrophe would be. However, when I try to use $cleanComment = addslashes($comment); it does not work but instead duplicates the item -- one without the apostrophe and one with the apostrophe. MySQL doesn't accept apostrophes. I am not sure why it is not working, can anyone point me in the right direction?

I also have this in the form code 

document.getElementById('name').onkeypress = function () {
if (event.keyCode === 39) { // apostrophe
    // prevent the keypress
    return false;
  }
 };​

This is the PHP Code 

$name = $_POST['name'];
$email = $_POST['email'];
$comment = $_POST['comment'];
$confirm = $_POST['confirm']; 

$cleanName = addslashes($name);
$cleanComment = addslashes($comment);

$sql = "INSERT INTO contact (name, email, commtype, comment, confirm)
VALUES ('$cleanName', '$_POST[email]', '$_POST[commtype]','$_POST      
[comment]','$cleanComment')";

Thank you for your help.

Anj Blu
  • 21
  • 5
  • 1
    Directly using user input in your SQL statement is a major security risk. I suggest using prepared statements. Otherwise, you'll end up with a Little bobby tables issue. – Derek Pollard Jun 05 '18 at 02:59
  • Note it's probably duplicating because you have this `'$_POST[comment]','$cleanComment'` you are putting your comment twice. Also _"'MySQL doesn't accept apostrophes"_ yes it does you just have to pass the data the correct way – Patrick Evans Jun 05 '18 at 03:00
  • you wouldn't need any incantations or whatnot in your strings if you just learn how to prepare your statements, just build the statement, bind the values and execute, no fuss no muss – Kevin Jun 05 '18 at 03:00
  • I just noticed the duplicate comments right after I posted it. Thanks. for your help everyone. – Anj Blu Jun 05 '18 at 03:04
  • @Derek thank you I am new to PHP and wasn't aware of the security risk. I will look into prepared statements. Thank you for the heads up. – Anj Blu Jun 05 '18 at 03:06
  • @AnjBlu try adding this to the top of the new PHP page: https://stackoverflow.com/a/21429652/2020002 – Derek Pollard Jun 05 '18 at 04:59
  • @AnjBlu no problem! Also, if this is resolved, you should write an answer for how you resolved it, and then accept it! – Derek Pollard Jun 05 '18 at 05:06

1 Answers1

1

After I posted I noticed I had "comment" twice which was causing the error.

'$_POST[comment]','$cleanComment')";

Removed '$_POST[comment]'

Anj Blu
  • 21
  • 5
  • Now there should be a check mark under the vote buttons that you can click – Derek Pollard Jun 05 '18 at 05:31
  • @Derek it will not allow me to add a checkmark for another 2 days. I will approve it on Wednesday. – Anj Blu Jun 05 '18 at 05:33
  • @Derek with the prepared statement, `// prepare and bind $stmt = $conn->prepare("INSERT INTO contact (name, email, commtype, comment, confirm) VALUES (?, ?, ?, ?, ?)"); $stmt->bind_param("s", $name, $email, $commtype, $comment, $confirm);` I am getting - Error is Fatal error: Call to a member function bind_param() on a non-object in /sys/cuc2.php on line 23. Everything online points to this being correct. Any ideas? – Anj Blu Jun 05 '18 at 05:41
  • `$conn` is probably incorrect, post your code in a gist – Derek Pollard Jun 05 '18 at 05:43