View Full Version : " ' and ? issues ...

06-16-2005, 12:30 AM
I need a refresher.

I'm trying to submit a form with a textarea, and said textarea has crazy characters like ', ", and ?, but mysql won't accept it unless I take out the characters.

What in the world do I need to do to fix this?

Here's my code:

<?php // add_entry.php
ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);

if (isset ($_POST['submit'])) {
if ($dbc = @mysql_connect ('xxx', 'xxx', 'xxxx')) {
if (!@mysql_select_db ('omon_main')) {
die ('<p>could not select the database because: <b>' . mysql_error() . '</b></p>');
} else {
die ('<p>Could not connect to MySQL because: <b>' . mysql_error() . '</b></p>');
$query = "INSERT INTO entries (entry_id, title, entry, date_entered) VALUES (0, '{$_POST['title']}', '{$_POST['entry']}', NOW())";

if (@mysql_query ($query)) {
print '<p>The blog entry has been added.</p>';
} else {
print "<p>Could not add the entry because: <b>" . mysql_error() . "</b>. The query was $query.</p>";
<form action="add_entry.php" method="post">
<p>Entry Title: <input type="text" name="title" size="40" maxlength="100" /></p>
<p>Entry Text: <textarea name="entry" cols="40" rows="5"></textarea></p>
<input type="submit" name="submit" value="Add to the Blog!" />

Kid Charming
06-16-2005, 12:37 AM
You should run it through mysql_real_escape_string() (http://us4.php.net/mysql_real_escape_string) -- actually, you should never send POST vars directly into your query the way you are. It opens you up to injection attacks. Read the manual page first, though; it's got some important usage notes.

06-16-2005, 01:20 AM
What's an injection attack? (can you tell I'm a n00b?)

Kid Charming
06-16-2005, 01:42 AM
The mysql_real_escape_string() page has an example, and there are more on this page (http://us4.php.net/manual/en/security.database.sql-injection.php).