brightwood
asked on
Trouble with putting text from DB to input & textarea
I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.
But I have trouble with ' and/or " characters.
Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"] ."', `author`='".$_SESSION["use r"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["conte nt"]."'";
mysql_query($sql);
Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
But I have trouble with ' and/or " characters.
Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]
mysql_query($sql);
Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
Use addslashes() or mysql_real_escape_string() on all incoming data.
http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"] ."', `author`='".$_SESSION["use r"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["conte nt"]."'";
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape _string($_ POST["titl e"])."', author='".mysql_real_escap e_string($ _SESSION[" user"])."' , date='".date("Y:m:d H:i:s")."', content='".mysql_real_esca pe_string( $_POST["co ntent"])." '";
and
<input style="width:300px;" type="text" value="<?=$row["title"];?> "
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape
and
<input style="width:300px;" type="text" value="<?=$row["title"];?>
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]);
For the title, use htmlspecialchars()
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got it working, used addslashes and stripslashes.
Thanks for help.
Thanks for help.
Just as a comment on the sideline ( a serious one)!
Please dont do this ==>
$sql = "insert into table.column values('".$_POST['value']. "')";
This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.
if(!empty($_POST['value']) ){
$var = htmlspecialchars($_POST['v alue']);
$var = addslashes($_POST['value'] );
/* or what ever is needed */
}
$sql = "insert into table.column values('".$var."')";
write save code ;-)
Regards,
Please dont do this ==>
$sql = "insert into table.column values('".$_POST['value'].
This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.
if(!empty($_POST['value'])
$var = htmlspecialchars($_POST['v
$var = addslashes($_POST['value']
/* or what ever is needed */
}
$sql = "insert into table.column values('".$var."')";
write save code ;-)
Regards,
ASKER
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.
https://www.experts-exchange.com/questions/22038474/Safe-php-code.html
https://www.experts-exchange.com/questions/22038474/Safe-php-code.html
ASKER
<input style="width:300px;" type="text" value="<?=$row["title"];?>
And if title contains " character it gets messed up.