• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Trouble with putting text from DB to input & textarea

I've developed my own news system. input for title, textarea for content, put them in database, then retrieve them from database.

But I have trouble with ' and/or " characters.

Im using this for putting them in database.
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
mysql_query($sql);

Any hints of how I can do this so ' and " characters gets accepted and now messing up ?
0
brightwood
Asked:
brightwood
1 Solution
 
brightwoodAuthor Commented:
Also for edit news I use:
<input style="width:300px;" type="text" value="<?=$row["title"];?>"

And if title contains " character it gets messed up.
0
 
snoyes_jwCommented:
Use addslashes() or mysql_real_escape_string() on all incoming data.

http://www.php.net/mysql_real_escape_string
http://www.php.net/addslashes
0
 
TeRReFCommented:
Try changing this:
$sql="INSERT INTO `progress_news` SET `title`='".$_POST["title"]."', `author`='".$_SESSION["user"]."', `date`='".date("Y:m:d H:i:s")."', `content`='".$_POST["content"]."'";
into
$sql="INSERT INTO progress_news SET title='".mysql_real_escape_string($_POST["title"])."', author='".mysql_real_escape_string($_SESSION["user"])."', date='".date("Y:m:d H:i:s")."', content='".mysql_real_escape_string($_POST["content"])."'";

and
<input style="width:300px;" type="text" value="<?=$row["title"];?>"
to
<input style="width:300px;" type="text" value="<?php addslashes($row["title"]); ?>"
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
snoyes_jwCommented:
For the title, use htmlspecialchars()
0
 
dsackerContract ERP Admin/ConsultantCommented:
If you expect the content to contain punctuations, use addslashes($_POST["content"]). Then when you return it to your webpage, use stripslashes($row['content']).

(I'm assuming the database name $row['content'] from your example. Use whatever is actually correct.)
0
 
brightwoodAuthor Commented:
Got it working, used addslashes and stripslashes.

Thanks for help.
0
 
Chris GralikeSpecialistCommented:
Just as a comment on the sideline ( a serious one)!

Please dont do this ==>

$sql = "insert into table.column values('".$_POST['value']."')";

This might enable quite easly sql injections that you "dont" want. Do check the type of the POST var, if it is correct put it in a var wich is used in the query ie.

if(!empty($_POST['value']) ){
       $var = htmlspecialchars($_POST['value']);
       $var = addslashes($_POST['value']);
       /* or what ever is needed */
}

$sql = "insert into table.column values('".$var."')";

write save code ;-)

Regards,
0
 
brightwoodAuthor Commented:
Closing this question, but I opened another one regarding your post Chris. I would like more information about this so I opened a new one so I can reward you.

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_22038474.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now