Solved

Trouble with putting text from DB to input & textarea

Posted on 2006-10-25
8
243 Views
Last Modified: 2006-11-18
I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.

But I have trouble with ' and/or " characters.

Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
mysql_query($sql);

Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
0
Comment
Question by:brightwood
8 Comments
 

Author Comment

by:brightwood
ID: 17804765
Also for edit news I use:
<input style="width:300px;" type="text" value="<?=$row["title"];?>"

And if title contains " character it gets messed up.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804883
Use addslashes() or mysql_real_escape_string() on all incoming data.

http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 17804888
Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape_string($_POST["title"])."', author='".mysql_real_escape_string($_SESSION["user"])."', date='".date("Y:m:d H:i:s")."', content='".mysql_real_escape_string($_POST["content"])."'";

and
<input style="width:300px;" type="text" value="<?=$row["title"];?>"
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804894
For the title, use htmlspecialchars()
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Accepted Solution

by:
dsacker earned 500 total points
ID: 17804896
If you expect the content to contain punctuations, use addslashes($_POST["content"]). Then when you return it to your webpage, use stripslashes($row['content']).

(I'm assuming the database name $row['content'] from your example. Use whatever is actually correct.)
0
 

Author Comment

by:brightwood
ID: 17805318
Got it working, used addslashes and stripslashes.

Thanks for help.
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 17807563
Just as a comment on the sideline ( a serious one)!

Please dont do this ==>

$sql = "insert into table.column values('".$_POST['value']."')";

This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.

if(!empty($_POST['value']) ){
       $var = htmlspecialchars($_POST['value']);
       $var = addslashes($_POST['value']);
       /* or what ever is needed */
}

$sql = "insert into table.column values('".$var."')";

write save code ;-)

Regards,
0
 

Author Comment

by:brightwood
ID: 17811832
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_22038474.html
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now