Jeff
asked on
Clean text to insert in database
What is the best way to clean text before inserting into a database?
MySQL server version for the right syntax to use near 've done a test to see if this works.',Now())' at line 2
Inserting "I've".
MySQL server version for the right syntax to use near 've done a test to see if this works.',Now())' at line 2
Inserting "I've".
ASKER
Then I should use addslashes()
$comments = addslashes($_POST['comment s'];
$comments = addslashes($_POST['comment
Hmm! addslashes() is not really suitable for inserting user data into a database. At the very least you should use the DB specific methods, such as mysqli_real_escape_string( ).
Preferably though, you should be using parameterised queries. Not only will that escape your data, it will prevent SQL Injection attacks, which is a very real concern when you're dealing with User Input.
For mySQL, you can do parameter queries with both the mySQLi and PDO drivers (I'm really hoping you're using at least one of those!)
Preferably though, you should be using parameterised queries. Not only will that escape your data, it will prevent SQL Injection attacks, which is a very real concern when you're dealing with User Input.
For mySQL, you can do parameter queries with both the mySQLi and PDO drivers (I'm really hoping you're using at least one of those!)
ASKER
Chris, I am using mySQLi. This is some old code and I just need to figure the simplest way to deal with special characters ( ' and " ). I did not anticipate needing this (I should have) and just need to fix this issue without having to rewrite the code.
Which is the best option?
$Comments = addslashes($_REQUEST['Comm ents']);
$Comments = mysqli_real_escape_string( $_REQUEST[ 'Comments' ]);
$sql = "INSERT INTO Table (Comments) VALUES ($Comments)";
mysqli_query($conn,$sql)
Thanks, Jeff
Which is the best option?
$Comments = addslashes($_REQUEST['Comm
$Comments = mysqli_real_escape_string(
$sql = "INSERT INTO Table (Comments) VALUES ($Comments)";
mysqli_query($conn,$sql)
Thanks, Jeff
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK Chris,
I have been looking at prepared statement and bind_param all evening and I think I've got a handle on them. Not as complex as I first thought. It doesn't look like it will be too hard to convert queries as they need to be updated. And I will start using parameter queries in all my new code.
Sometimes I just want the simple answer and experts like you and Ray, and others, push us (me) to write good code and I appreciate that.
Challenge is good, and if I get stuck I always have you to fall back on!
Thanks
BTW, do you have any suggested reading or videos to help me as I get started?
I have been looking at prepared statement and bind_param all evening and I think I've got a handle on them. Not as complex as I first thought. It doesn't look like it will be too hard to convert queries as they need to be updated. And I will start using parameter queries in all my new code.
Sometimes I just want the simple answer and experts like you and Ray, and others, push us (me) to write good code and I appreciate that.
Challenge is good, and if I get stuck I always have you to fall back on!
Thanks
BTW, do you have any suggested reading or videos to help me as I get started?
Excellent. It can often take a little while for new ideas to sink in, as we all get stuck in doing things the same way we've always done them. Once you get your head around it, your programs will be much more secure and robust, often quicker and certainly easier to maintain and manage.
I often find the PHP website a great place to start when learning the language. Here are the 2 pages for mySqli prepare() and bind_param():
http://php.net/manual/en/m ysqli.prep are.php
http://php.net/manual/en/m ysqli-stmt .bind-para m.php
These pages will give you all the info on how the methods work. Then it's just a case of applying that to your own needs. There are plenty of good tutorials on the net - here's one that gives a good overview:
http://forum.codecall.net/ topic/4439 2-php-5-my sqli-prepa red-statem ents/
And as you said, if you get stuck with anything, you can always ask at ExpertsExchange :)
I often find the PHP website a great place to start when learning the language. Here are the 2 pages for mySqli prepare() and bind_param():
http://php.net/manual/en/m
http://php.net/manual/en/m
These pages will give you all the info on how the methods work. Then it's just a case of applying that to your own needs. There are plenty of good tutorials on the net - here's one that gives a good overview:
http://forum.codecall.net/
And as you said, if you get stuck with anything, you can always ask at ExpertsExchange :)
any suggested reading...I came across this question more or less by accident because I only follow the PHP Zone, and this was only posted in the MySQL Zone. You can use more than one zone, and that will always get more eyes on your question.
Here's an article that might be worth a read. It has tested-and-working code snippets that demonstrate the concepts.
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
ASKER
Thanks Ray. I thought I had posted it in both MySQL and PHP. I always appreciate your input. Thanks for the link.
we do this by putting a backslash (\) in front of it
Open in new window