PHP str_replace not working?

Hi Everyone,

I have a form on my website that allows a person to insert information. I’m trying to prevent from a mysql attack so I decided to try and fix that by not allowing apostrophe’s into my mysql database. I’m using the str_replace function.

When visitor enters information this is the path the variable takes before entering into my database but for some reason apostrophe’s are being accepted into my database and I don’t know why. Any help would be appreciated.

$dealership = $_POST['dealership'];
$dealership = mysql_real_escape_string($dealership);
$dealership = stripslashes($dealership);
$dealership = capitalize($dealership); (my own function)
$dealership = trim($dealership);
$dealership = eregi_replace(",", "", $dealership);
$dealership = str_replace("'", "", $dealership);

What am I doing wrong here?
Thanks everyone.

You really need to be moving away from the use of the mysql_* extension and start using either the msqli_* extension or PDO. Both the msqli_* extension and PDO have prepared statements which are a far better and safer way of guarding against SQL injection.

You should still sanitize the incoming data: is it within the range of values expected, is a string withing a range of lengths expected, is it of the type expected, etc

The code snippet you posted actually works fine. Your real issue must be elsewhere in all the code you haven’t shown us.

As an aside, it’s awfully odd to add slashes with mysql_real_escape_string, then strip them off in the very next line.

Hello,

I agree with @ Jeff Mott. Please check whether there is any other insert statement in your code.

You really need to be moving away from the use of the mysql_* extension and start using either the msqli_* extension or PDO. Both the msqli_* extension and PDO have prepared statements which are a far better and safer way of guarding against SQL injection.

You should still sanitize the incoming data: is it within the range of values expected, is a string withing a range of lengths expected, is it of the type expected, etc

Hi Everyone,

Thanks for your replies. I appreciate them.

Thanks SpacePhoenix for the tip. Quick question tough, if I update this page with the msqli_* extension, will I have to update every-single-page in my website with that same extension?

The code snippet you posted actually works fine. Your real issue must be elsewhere in all the code you haven’t shown us.

As an aside, it’s awfully odd to add slashes with mysql_real_escape_string, then strip them off in the very next line.

I agree with @ Jeff Mott. Please check whether there is any other insert statement in your code.

Hey Guys,

Below is my syntax. This is the syntax behind the page. Not quite sure what I’m doing wrong here. What do you guys think?

if (isset ( $_POST['dealership'] ) ){

   $dealership = $_POST['dealership'];
   $address = $_POST['address'];
   $state = $_POST['state'];
   $city = $_POST['city'];
   $zip = $_POST['zip'];
   $phone = $_POST['phone'];
   $website = $_POST['website'];
   $email = $_POST['email'];
   $name = $_POST['name'];

   $facebook = $_POST['facebook'];
   $twitter = $_POST['twitter'];
   $youtube = $_POST['youtube'];
   $google_plus = $_POST['google_plus'];
   $yelp = $_POST['yelp'];
   $bbb = $_POST['bbb'];
   $pinterest = $_POST['pinterest'];

   $dealership = mysql_real_escape_string($dealership);
   $address = mysql_real_escape_string($address);
   $state = mysql_real_escape_string($state);
   $city = mysql_real_escape_string($city);
   $zip = mysql_real_escape_string($zip);
   $phone = mysql_real_escape_string($phone);
   $website = mysql_real_escape_string($website);
   $email = mysql_real_escape_string($email);
   $name = mysql_real_escape_string($name);

   $facebook = mysql_real_escape_string($facebook);
   $twitter = mysql_real_escape_string($twitter);
   $youtube = mysql_real_escape_string($youtube);
   $google_plus = mysql_real_escape_string($google_plus);
   $yelp = mysql_real_escape_string($yelp);
   $bbb = mysql_real_escape_string($bbb);
   $pinterest = mysql_real_escape_string($pinterest);

   $dealership = stripslashes($dealership);
   $state = stripslashes($state);
   $city = stripslashes($city);

   $dealership = capitalize($dealership);
   $state = capitalize($state);
   $city = capitalize($city);
   $name = capitalize($name);
   $address = capitalize($address);

   $address = trim($address);
   $dealership = trim($dealership);
   $city = trim($city);

   // $phone = eregi_replace("+1", "", $phone);
   // $dealership = eregi_replace("'", " ", $dealership);
   $city = eregi_replace("'", " ", $city);
   $dealership = eregi_replace(",", "", $dealership);
   $city = eregi_replace(",", "", $city);
   $website = eregi_replace("www.www.", "http://", $website);
   $website = eregi_replace("www.", "http://", $website);
   $website = eregi_replace("http://http://", "http://", $website);
   $phone = eregi_replace("-","",$phone);

   $dealership = str_replace("'", "", $dealership);
   $city = str_replace("'", "", $city);
   $address = str_replace("'", "", $address);

    if ( empty($dealership) || empty($address)  || empty($state) || empty($city) || empty($zip) || empty($phone) || empty($website) || empty($email) || empty($name) ){
		
		 $errors[] = "All Fields With * Are Required!<br>";
		
		} else {
		
		  if (strlen($dealership) > 65){
		    $errors[] = 'Dealership name is too long. Shorten it'.'<br>';
		  }
		
          if (strlen($state) > 65){
		    $errors[] = 'State name too long. Shorten it'.'<br>';
		  }
		
		  if (!is_numeric($zip)){
		    $errors[] = 'Please enter a zip code with only numbers.'.'<br>';
		  }
		
		  if (strlen($zip) != 5) {
		    $errors[] = 'Please enter a 5 digit zip code.'.'<br>';
		  }	
		
		  if (!is_numeric($phone)){
		    $errors[] = 'Please enter a valid phone number'.'<br>';
		  }
		
		  if (filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE){
		    $errors[] = 'Please enter a valid email.'.'<br>';
		  }
		
		
		}
	

		
		if(!empty($errors)){
		  foreach ($errors as $error){
		    echo "$error";
		  }
		} else {
		
		    $insert = ("INSERT INTO dealers (dealership, address, state, city, zip, phone, website, email, name, time, facebook, twitter, youtube, google_plus, yelp, pinterest, bbb)
		    VALUES ('$dealership','$address','$state','$city','$zip','$phone','$website','$email','$name', NOW(), '$facebook', '$twitter', '$youtube', '$google_plus', '$yelp', '$pinterest', '$bbb' )");
		
		    mysql_query($insert);
		
		
		    $email_2 = "myemail@yahoo.com";
		    $to = $email_2;
			$from = "admin@mywebsite.com";
			$subject = "Another Dealership!";
			
			$city = $city;
			
			$message = '<html>
		     <body bgcolor="#FFFFFF">
		            You\\'ve got another dealership! ' . $dealership . '
		            <br /><br />
					Dealership: ' . $address . '
		            <br /><br />
					State: ' . $state . '
		            <br /><br />
					City: ' . $city . '
					<br /><br />
					Zip: ' . $zip . '
				    <br /><br />
					Phone: ' . $phone . '
					<br /><br />
					Website: ' . $website . '
					<br /><br />
					E-Mail: ' . $email . '
					<br /><br />
					Person\\'s Name: ' . $name . '
					<br /><br />
		            Thanks!
		     </body>
		     </html>';
			
			$headers = "From: $from\\r\
";
		    $headers .= "Content-type: text/html\\r\
";
		    $to = "$to";
			mail($to, $subject, $message, $headers);
			
			
			////////
			
			/* $email_2 = "myemail@yahoo.com";
		    $to = $email_2;
			$from = "admin@mywebsite.com";
			$subject = "Another Dealership!";
			
			$city = $city;
			
			$message = '<html>
		     <body bgcolor="#FFFFFF">
		            You\\'ve got another dealership! ' . $dealership . '
		            <br /><br />
					Dealership: ' . $address . '
		            <br /><br />
					State: ' . $state . '
		            <br /><br />
					City: ' . $city . '
					<br /><br />
					Zip: ' . $zip . '
				    <br /><br />
					Phone: ' . $phone . '
					<br /><br />
					Website: ' . $website . '
					<br /><br />
					E-Mail: ' . $email . '
					<br /><br />
					Person\\'s Name: ' . $name . '
					<br /><br />
		            Thanks!
		     </body>
		     </html>';
			
			$headers = "From: $from\\r\
";
		    $headers .= "Content-type: text/html\\r\
";
		    $to = "$to";
			mail($to, $subject, $message, $headers); */
			
			
			
			echo 'Thanks for submitting your information.<br /><br />';
		  }
		
		
		

		
		
}

?>


<center><form action="add-carlot.php" method="POST">

		  <tr>
            <td width="99">Dealership Name:*</td>
            <td width="112">
              <input type="text" name="dealership" value="<?php echo "$dealership"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Address:*</td>
            <td width="112">
              <input type="text" name="address" value="<?php echo "$address"; ?>" />
            </td>
          </tr>
	<tr>
      <td>State:*</td>
      <td><select name="state" value="<?php echo "$state"; ?>" >
      <option value="Alabama">Alabama</option>
      <option value="Alaska">Alaska</option>
	  <option value="Arizona">Arizona</option>
      <option value="Arkansas">Arkansas</option>
	  <option value="California">California</option>
      <option value="Colorado">Colorado</option>
	  <option value="Connecticut">Connecticut</option>
      <option value="Delaware">Delaware</option>
	  <option value="Florida">Florida</option>
      <option value="Georgia">Georgia</option>
	  <option value="Hawaii">Hawaii</option>
      <option value="Idaho">Idaho</option>
	  <option value="Illinois">Illinois</option>
      <option value="Indiana">Indiana</option>
	  <option value="Iowa">Iowa</option>
      <option value="Kansas">Kansas</option>
	  <option value="Kentucky">Kentucky</option>
      <option value="Louisiana">Louisiana</option>
	  <option value="Maine">Maine</option>
      <option value="Maryland">Maryland</option>
	  <option value="Massachusetts">Massachusetts</option>
      <option value="Michigan">Michigan</option>
	  <option value="Minnesota">Minnesota</option>
      <option value="Mississippi">Mississippi</option>
	  <option value="Missouri">Missouri</option>
      <option value="Montana">Montana</option>
	  <option value="Nebraska">Nebraska</option>
      <option value="Nevada">Nevada</option>
	  <option value="New Hampshire">New Hampshire</option>
      <option value="New Jersey">New Jersey</option>
	  <option value="New Mexico">New Mexico</option>
      <option value="New York">New York</option>
	  <option value="North Carolina">North Carolina</option>
      <option value="North Dakota">North Dakota</option>
	  <option value="Ohio">Ohio</option>
      <option value="Oklahoma">Oklahoma</option>
	  <option value="Oregon">Oregon</option>
      <option value="Pennsylvania">Pennsylvania</option>
	  <option value="Rhode Island">Rhode Island</option>
      <option value="South Carolina">South Carolina</option>
	  <option value="South Dakota">South Dakota</option>
      <option value="Tennessee">Tennessee</option>
	  <option value="Texas">Texas</option>
      <option value="Utah">Utah</option>
	  <option value="Vermont">Vermont</option>
      <option value="Virginia">Virginia</option>
	  <option value="Washington">Washington</option>
      <option value="West Virginia">West Virginia</option>
	  <option value="Wisconsin">Wisconsin</option>
	  <option value="Wyoming">Wyoming</option>
      </select></td>
    </tr>
		  <tr>
            <td width="99">City:*</td>
            <td width="112">
              <input type="text" name="city" value="<?php echo "$city"; ?>" />
            </td>
          </tr>
          <tr>
            <td width="99">Zip:*</td>
            <td width="112">
			  <input type="text" name="zip" maxlength="5" value="<?php echo "$zip"; ?>" />
            </td>
          </tr>
          <tr>
            <td width="99">Phone:*</td>
            <td width="112">
              <input type="text" name="phone" value="<?php echo "$phone"; ?>" />
            </td>
          </tr>
          <tr>
            <td width="99">Website:*</td>
            <td width="112">
              <input type="text" name="website" value="<?php echo "$website"; ?>" />
            </td>
          </tr>
		   <tr>
            <td width="99">Email:*</td>
            <td width="112">
              <input type="text" name="email" value="<?php echo "$email"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Facebook:</td>
            <td width="112">
              <input type="text" name="facebook" value="<?php echo "$facebook"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Twitter:</td>
            <td width="112">
              <input type="text" name="twitter" value="<?php echo "$twitter"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Youtube:</td>
            <td width="112">
              <input type="text" name="youtube" value="<?php echo "$youtube"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Google+:</td>
            <td width="112">
              <input type="text" name="google_plus" value="<?php echo "$google_plus"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Yelp:</td>
            <td width="112">
              <input type="text" name="yelp" value="<?php echo "$yelp"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">Pinterest:</td>
            <td width="112">
              <input type="text" name="pinterest" value="<?php echo "$pinterest"; ?>" />
            </td>
          </tr>
		  <tr>
            <td width="99">BBB:</td>
            <td width="112">
              <input type="text" name="bbb" value="<?php echo "$bbb"; ?>" />
            </td>
          </tr>
		   <tr>
            <td width="99">Your Name:*</td>
            <td width="112">
             <input type="text" name="name" value="<?php echo "$name"; ?>" />
            </td>
          </tr>
          <tr>
            <td width="99">
              <input type="submit" name="submit" value="Submit">
            </td>
          </tr>
        </table>
      </form></center>

Yes you’ll have to update any script which currently uses the mysql_* extension