Solved

Trouble with putting text from DB to input & textarea

Posted on 2006-10-25
8
261 Views
Last Modified: 2006-11-18
I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.

But I have trouble with ' and/or " characters.

Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
mysql_query($sql);

Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
0
Comment
Question by:brightwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Author Comment

by:brightwood
ID: 17804765
Also for edit news I use:
<input style="width:300px;" type="text" value="<?=$row["title"];?>"

And if title contains " character it gets messed up.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804883
Use addslashes() or mysql_real_escape_string() on all incoming data.

http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 17804888
Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape_string($_POST["title"])."', author='".mysql_real_escape_string($_SESSION["user"])."', date='".date("Y:m:d H:i:s")."', content='".mysql_real_escape_string($_POST["content"])."'";

and
<input style="width:300px;" type="text" value="<?=$row["title"];?>"
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804894
For the title, use htmlspecialchars()
0
 
LVL 20

Accepted Solution

by:
dsacker earned 500 total points
ID: 17804896
If you expect the content to contain punctuations, use addslashes($_POST["content"]). Then when you return it to your webpage, use stripslashes($row['content']).

(I'm assuming the database name $row['content'] from your example. Use whatever is actually correct.)
0
 

Author Comment

by:brightwood
ID: 17805318
Got it working, used addslashes and stripslashes.

Thanks for help.
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 17807563
Just as a comment on the sideline ( a serious one)!

Please dont do this ==>

$sql = "insert into table.column values('".$_POST['value']."')";

This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.

if(!empty($_POST['value']) ){
       $var = htmlspecialchars($_POST['value']);
       $var = addslashes($_POST['value']);
       /* or what ever is needed */
}

$sql = "insert into table.column values('".$var."')";

write save code ;-)

Regards,
0
 

Author Comment

by:brightwood
ID: 17811832
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_22038474.html
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
curl parse data from site 20 66
Do not understand error message 3 46
Php variable to be sent back 3 35
Last 4 numbers of a variable 9 22
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question