Solved

Trouble with putting text from DB to input & textarea

Posted on 2006-10-25
8
254 Views
Last Modified: 2006-11-18
I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.

But I have trouble with ' and/or " characters.

Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
mysql_query($sql);

Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
0
Comment
Question by:brightwood
8 Comments
 

Author Comment

by:brightwood
ID: 17804765
Also for edit news I use:
<input style="width:300px;" type="text" value="<?=$row["title"];?>"

And if title contains " character it gets messed up.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804883
Use addslashes() or mysql_real_escape_string() on all incoming data.

http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 17804888
Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape_string($_POST["title"])."', author='".mysql_real_escape_string($_SESSION["user"])."', date='".date("Y:m:d H:i:s")."', content='".mysql_real_escape_string($_POST["content"])."'";

and
<input style="width:300px;" type="text" value="<?=$row["title"];?>"
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:snoyes_jw
ID: 17804894
For the title, use htmlspecialchars()
0
 
LVL 20

Accepted Solution

by:
dsacker earned 500 total points
ID: 17804896
If you expect the content to contain punctuations, use addslashes($_POST["content"]). Then when you return it to your webpage, use stripslashes($row['content']).

(I'm assuming the database name $row['content'] from your example. Use whatever is actually correct.)
0
 

Author Comment

by:brightwood
ID: 17805318
Got it working, used addslashes and stripslashes.

Thanks for help.
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 17807563
Just as a comment on the sideline ( a serious one)!

Please dont do this ==>

$sql = "insert into table.column values('".$_POST['value']."')";

This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.

if(!empty($_POST['value']) ){
       $var = htmlspecialchars($_POST['value']);
       $var = addslashes($_POST['value']);
       /* or what ever is needed */
}

$sql = "insert into table.column values('".$var."')";

write save code ;-)

Regards,
0
 

Author Comment

by:brightwood
ID: 17811832
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_22038474.html
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question