I'm using a field 'linkUrl' and in the next page i'm inserting it into a mysql db, but it keeps misplacing the : so it becomes 'http//'

I've tried htmlenteties, htmlspecialchars, base64_encode before inserting it into the db but to no avail...

If i print it before the insert, it reads as 'http://' so some conversion is done when inserting into the db...

Comments, ideas...

Kinda stuck here...

I'm not sure I'm following you. Does the colon (hehehe) just disappear?

can you write the query here?

do you have these around the things you put in?  ´  (or if it was these ` don't remember)

also, when everything else fails I usually test the \ before the things that dissapears wink  ... so try http\://  ... I don't think it will work, but hey, at least you've tried in that case wink

I have

$linkCode = base64_encode(htmlentities($_POST['linkUrl']));
$SQL = "INSERT INTO " . TABLE_LINK_CONTENT . " (catID, linkName, linkURL, isVerified) VALUES ('" . $_POST['linkCatID'] . "', '" . $_POST['linkName'] . "', '" . $linkCode . "', '0')";
$Q = mysql_query($SQL);

in my last attempt.
I've tried with no base64-encoding, htmlspecialchars (or somthing) add/stripslashes etc, but it doesn't get stored in the db, all i get is 'http//'.

If i print($_POST['linkUrl'])
it shows http:// so it's something with the insert that's wierd.

phpinfo of the server is here
And i'm using a remote mysql some pretty recent version @

I haven't tried the code on the live webserver @ fs because i'm re-doing the design and haven't got it finished enough to be placed public.

Hmm. Odd.

You should check if magic quotes is enabled, and if it isn't, you should run addslashes() on the strings from POST before inserting them. Have a look at the function escape() in PunBB. It shouldn't affect the colon though.

phpmyadmin uses some other character than the ' on the fields ... I think it's either ´ or ` ... (think the later) .... perhaps replace the ' with those?

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

that is default for this installation (via pkgsrc in netbsd 1.6)

i still think it's odd that when i print it, it is ok, but when i base64_encode it it looses the : when inserting into db.

Another Q, what happens if i put the file on a server with magic_quotes on, and i have addslashes in my insert, will it make it a double-slash before inserting?
And if that is the case, can i check if magic_cuotes is on and depending on that use addslashes or will something like this work:
$url = addslashed(stripslashes($URL));
Will that remove slashes if present, and then add just one?

Yes, if magic_quotes_gpc is enabled, which it is on some systems, PHP will automatically run addslashes() on the strings you fetch from $_GET, $_POST etc.. So, you have to check if magic_quotes_gpc is enabled, and if it isn't, you run addslashes(). That's why I recommended that you look at the function escape() i include/common.php.

Should i escape everything i insert, and un_escape everything that i get from db?

Is there anything else i can do to make submissions more secure when userinput goes into db?

You should escape everything that might contain single quote ('), double quote ("), backslash (\) or NUL (the NULL byte). In PunBB, I escape most of the stuff that goes into the database. An example of something I don't escape is the ICQ UIN. I validate that variable with a regex to make sure it only contains numbers and when I know that, there is no need to escape.

The cardinal rule is to never trust anything that is user submitted. Validate everything as much as possible.

If i've got everything in order

$linkCode = (substr($_POST['linkUrl'], 7) == "http://" || substr($_POST['linkUrl'], 8) == "https://") ? escape($_POST['linkUrl']) : escape("http://" . $_POST['linkUrl']);

Should take any kind of link, verify that there is a http:// or https:// and if there is not, add a http:// then escape it into the db...

More testing tomorrow after work.

Oh, btw, i kinda haxxored your escape/un_escape into my script, with a note smile

Ok, last shred of hair is now pulled from my head...
It just refuse to work if i add 'http://' or 'https://' in the link, i just get the standard 'http//' but if i leave the http:// out from the link when i submit it, the avbove code adds it fine and escapes it as it should into the db.