Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Jan 2009
    Posts
    34
    Thanks
    12
    Thanked 0 Times in 0 Posts

    Input to lower case

    Hi

    I'm taking a user input and trying to post it to a database. I want all user input to be automatically converted to lower case. So, at the moment the code takes each input (called tag1, tag2, tag3, tag4 and tag5).

    I know I need the "strtolower" function, but can't quite get it working. This is my code:

    PHP Code:
    <?php

    session_start
    ();

    $con mysql_connect("xxxxxx","xxxxxx","xxxxxxx");
    if (!
    $con)
    { die(
    'Could not connect: ' mysql_error()); }

    mysql_select_db("db_xxxxxx"$con);

    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES

    ('$_POST[tag1]','$_POST[article1]','$_POST[articlename]','$_POST[userID]')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}



              
    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
              VALUES
              ('$_POST[tag2]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')"
    ;

              if (!
    mysql_query($sql,$con))

              {die(
    'Error: Tag already exists');}


    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES
    ('$_POST[tag3]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}


              
    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
              VALUES
              ('$_POST[tag4]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')"
    ;

              if (!
    mysql_query($sql,$con))

              {die(
    'Error: Tag already exists');}


    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES
    ('$_POST[tag5]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}

    echo 
    "You have successfully entered search tags for this article.";

    mysql_close($con)
    ?>
    So, basically I want it to take tag1, 2, 3, 4 & 5, convert them to lower case and then post them to the database. Some help?

  • #2
    met
    met is offline
    Regular Coder
    Join Date
    Oct 2009
    Location
    United Kingdom
    Posts
    728
    Thanks
    4
    Thanked 119 Times in 119 Posts
    PHP Code:
    $str strtolower($str);
    /* or in your case */

    $tag1 strtolower($_POST['tag1']);
    $tag2 strtolower($_POST['tag2']); 
    http://php.net/manual/en/function.strtolower.php

    you are inserting values directly from $_POST in to your table, this is a security risk.

    http://unixwiz.net/techtips/sql-injection.html

    read up on it

    http://www.php.net/manual/en/functio...ape-string.php

  • Users who have thanked met for this post:

    alex98uk (03-02-2010)

  • #3
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    Sanitize all variables before using them in any SQL queries to avoid injections.
    You can convert to lower-case at the same time ... see below.

    PHP Code:
    <?php

    session_start
    ();

    $con mysql_connect("xxxxxx","xxxxxx","xxxxxxx");
    if (!
    $con)
    { die(
    'Could not connect: ' mysql_error()); }

    mysql_select_db("db_xxxxxx"$con);

    // Sanitize all variables used in your query strings ... to avoid SQL Injections ...
    $tag1 mysql_real_escape_string(strtolower($_POST['tag1']));
    $tag2 mysql_real_escape_string(strtolower($_POST['tag2']));
    $tag3 mysql_real_escape_string(strtolower($_POST['tag3']));
    $tag4 mysql_real_escape_string(strtolower($_POST['tag4']));
    $tag5 mysql_real_escape_string(strtolower($_POST['tag5']));
    $article1 mysql_real_escape_string(strtolower($_POST['article1']));
    $articlename mysql_real_escape_string(strtolower($_POST['articlename']));
    $userID mysql_real_escape_string(strtolower($_POST['userID']));


    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES

    ('$tag1','$article1','$articlename','$userID')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}

              
    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
              VALUES
              ('$tag2','$article1','$articlename','$userID')"
    ;

              if (!
    mysql_query($sql,$con))

              {die(
    'Error: Tag already exists');}

    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES
    ('$tag3','$article1','$articlename','$userID')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}

              
    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
              VALUES
              ('$tag4','$article1','$articlename','$userID')"
    ;

              if (!
    mysql_query($sql,$con))

              {die(
    'Error: Tag already exists');}

    $sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
    VALUES
    ('$tag5','$article1','$articlename','$userID')"
    ;

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Tag already exists');}

    echo 
    "You have successfully entered search tags for this article.";

    mysql_close($con)
    ?>

  • Users who have thanked mlseim for this post:

    alex98uk (03-02-2010)

  • #4
    New Coder
    Join Date
    Jan 2009
    Posts
    34
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Thanks guys. I'm a student and still learning, but I do know about sanitizing inputs, I just hadn't used it here. I'll try the suggestion in the 2nd post

  • #5
    New Coder
    Join Date
    Jan 2009
    Posts
    34
    Thanks
    12
    Thanked 0 Times in 0 Posts
    That worked great. Just coming back to the SQL injection bit, I have some code in a different part of the site which I have now modified with the escape string function. However, I use MD5 encryption on passwords and just want to make sure that it is being sanitised before being posted as well. This is the code.

    PHP Code:
    $username mysql_real_escape_string($_POST['username']);
    $forename mysql_real_escape_string($_POST['forename']);
    $surname mysql_real_escape_string($_POST['surname']);
    $email mysql_real_escape_string($_POST['email']);
    $password mysql_real_escape_string($_POST['password']);

    $salt'_$_%123';

    $sql="INSERT INTO users (username, forename, surname, email, password)
    VALUES
    ('$username','$forename','$surname','$email','"
    .md5($_POST['$password'].$salt)."')";

    if (!
    mysql_query($sql,$con))

    {die(
    'Error: Username in use');} 
    Is the password being sanitised as well?

  • #6
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,861
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    Is the password being sanitised as well?
    Yes, you need to do it on all external data (GET/POST/COOKIE).
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • Users who have thanked abduraooft for this post:

    alex98uk (03-02-2010)

  • #7
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    $sql="INSERT INTO users (username, forename, surname, email, password)
    VALUES
    ('$username','$forename','$surname','$email','".md5($password.$salt)."')";

  • Users who have thanked mlseim for this post:

    alex98uk (03-02-2010)

  • #8
    New Coder
    Join Date
    Jan 2009
    Posts
    34
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Ah, yes that makes sense. I have my head around it now. Thanks

  • #9
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    You might have already used Google to find this: mysql_real_escape_string
    It's a built-in function to "clean-up" or "sanitize" variables so that people
    can't inject SQL query tags or strings that will take control of your database.

    There are some YouTube examples of MySQL injections:
    http://www.youtube.com/results?searc...=1&oq=mysql+in

    In a related topic, there is also a way to clean-up any HTML stuff that
    people might put into a text editor: http://php.net/manual/en/function.htmlentities.php

    These functions are a way to maintain as much control as possible, of the data
    that people enter into forms, URL's, etc. It's all about checking every piece of
    information that people put into your website/databases.

  • #10
    New Coder
    Join Date
    Jan 2009
    Posts
    34
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by mlseim View Post
    You might have already used Google to find this: mysql_real_escape_string
    It's a built-in function to "clean-up" or "sanitize" variables so that people
    can't inject SQL query tags or strings that will take control of your database.

    There are some YouTube examples of MySQL injections:
    http://www.youtube.com/results?searc...=1&oq=mysql+in

    In a related topic, there is also a way to clean-up any HTML stuff that
    people might put into a text editor: http://php.net/manual/en/function.htmlentities.php

    These functions are a way to maintain as much control as possible, of the data
    that people enter into forms, URL's, etc. It's all about checking every piece of
    information that people put into your website/databases.
    Yeah, we learned about the theory of it in class, but never the technicalities behind how to use it. Part of our University course was to teach ourselves HTML (if you didn't already know it), PHP and MySQL. We were told to have a site with basic backend database ready in a month, so i'm still learning the finer details of what can be a confusing language

    I'm now trying to work out how to input an input mask to make sure the user enters a valid email address. I guess I have to use PHP email filter, but the same problem occurs in that I can never seem to work out how to get it to actually work!

    Oh well, i'll stay on this site, everyone seems very helpful here

  • #11
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    The key is to use Google.

    Put the word "PHP" and then what you're looking for ...

    Example: PHP email validation
    http://www.google.com/#hl=en&source=...6c79a56c95bda8

    Now, look at a few of the hits ...
    You'll find several different ways of doing it, and many examples, like this:
    http://www.totallyphp.co.uk/code/val...xpressions.htm


    Google is your best source.



    .


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •