Trouble with putting text from DB to input & textarea

I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.

But I have trouble with ' and/or " characters.

Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";

Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
Who is Participating?
dsackerConnect With a Mentor Contract ERP Admin/ConsultantCommented:
If you expect the content to contain punctuations, use addslashes($_POST["content"]). Then when you return it to your webpage, use stripslashes($row['content']).

(I'm assuming the database name $row['content'] from your example. Use whatever is actually correct.)
brightwoodAuthor Commented:
Also for edit news I use:
<input style="width:300px;" type="text" value="<?=$row["title"];?>"

And if title contains " character it gets messed up.
Use addslashes() or mysql_real_escape_string() on all incoming data.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
$sql="INSERT INTO progress_news SET title='".mysql_real_escape_string($_POST["title"])."', author='".mysql_real_escape_string($_SESSION["user"])."', date='".date("Y:m:d H:i:s")."', content='".mysql_real_escape_string($_POST["content"])."'";

<input style="width:300px;" type="text" value="<?=$row["title"];?>"
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
For the title, use htmlspecialchars()
brightwoodAuthor Commented:
Got it working, used addslashes and stripslashes.

Thanks for help.
Chris GralikeSpecialistCommented:
Just as a comment on the sideline ( a serious one)!

Please dont do this ==>

$sql = "insert into table.column values('".$_POST['value']."')";

This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.

if(!empty($_POST['value']) ){
       $var = htmlspecialchars($_POST['value']);
       $var = addslashes($_POST['value']);
       /* or what ever is needed */

$sql = "insert into table.column values('".$var."')";

write save code ;-)

brightwoodAuthor Commented:
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.