Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Feb 2010
    Posts
    74
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Delete Entry that has apostrophe

    Its the simple addslashes function, but for some reason this is acting differently than usual.

    I'm having no trouble inserting values that have an apostrope
    PHP Code:
     
    or quotations
    PHP Code:

    I'm inserting them with this escape
    PHP Code:
    $news mysql_real_escape_string($_POST['news']); 
    even though they seem to go through without the escape... and they don't show up in the database with back slashes

    so when i go to delete, it just doesn't process

    heres my process page

    PHP Code:
    <?php
    require_once("system/config.php");
    auth();

    dbaccess();

    $news mysql_real_escape_string($_POST['news']); 

    if (isset(
    $_GET['delete'])) {
    if (!isset(
    $_GET['confirm'])) {
    echo 
    "Are you sure you want to delete \""ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\""$_SERVER['REQUEST_URI'] ."&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>";
    } else {
    mysql_query("DELETE FROM news WHERE newsblurb = '"urlencode($_GET['delete']) ."' LIMIT 1");
    header("Location: edit_news.php");
    }
    } elseif (isset(
    $_POST['news'])) {
    mysql_query("INSERT INTO news (newsblurb) VALUES ('".$news."') ");
    header("Location: edit_news.php");
    }
    ?>

  • #2
    Regular Coder poyzn's Avatar
    Join Date
    Nov 2010
    Posts
    266
    Thanks
    2
    Thanked 61 Times in 61 Posts
    may be the problem is in urlencode function
    could you just print the string
    PHP Code:
    echo "DELETE FROM news WHERE newsblurb = '"urlencode($_GET['delete']) ."' LIMIT 1"
    and post it here

  • #3
    New Coder
    Join Date
    Feb 2010
    Posts
    74
    Thanks
    9
    Thanked 0 Times in 0 Posts
    oh no the urlencode was something i was trying. it wasn't working before or after i applied that

    but ill print it anyway


    ----

    didnt print anything
    Last edited by thilss0o; 12-24-2010 at 02:58 AM. Reason: echoed it

  • #4
    Regular Coder poyzn's Avatar
    Join Date
    Nov 2010
    Posts
    266
    Thanks
    2
    Thanked 61 Times in 61 Posts
    ok, then output next string and check if there delete parameter is passing in the url
    PHP Code:
    echo "Are you sure you want to delete \""ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\""$_SERVER['REQUEST_URI'] ."&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>" 
    may be you should add it
    PHP Code:
    echo "Are you sure you want to delete \""ucfirst($_GET['delete']) ."\"?<br /><br /><a href=\""$_SERVER['REQUEST_URI'] ."?delete=y&confirm=y\">Yes</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=\"edit_news.php\">No</a>" 

  • #5
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Code:
    mysql_query("DELETE FROM news WHERE newsblurb = '". urlencode($_GET['delete']) ."' LIMIT 1");
    Is $_GET['delete'] an id or a name? Btw, welcome to the fact that the query above is wide open for exploit. Escape the string if it's a string.

  • #6
    New Coder
    Join Date
    Feb 2010
    Posts
    74
    Thanks
    9
    Thanked 0 Times in 0 Posts
    well i know the deleting thing works overall, it just doesn't delete entries that have quotations in them.

    and yes GET['delete'] is called from the previous page


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •