Inserting text with quotes in to MYSQL

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • atlanteavila
    New Member
    • Aug 2008
    • 19
    #1

    Inserting text with quotes in to MYSQL

    Hello all,

    I have a problem with inserting text with quotes, or html code in to a MYSql Database. I've been trying to create my own content management system, and unfortunately I've come accross a problem, the script below works perfectly if I'm not inserting any quotes (" ") or html tags. I'm wondering if I'm doing something wrong here? The field type where all of the content will go was set up as a blob type.

    I have the following PHP code:

    Code:
    <?php 
$conn = connect();
$action = $_GET['a'];
$id = $_GET['id'];
switch($action) {
case 'delete':
	$sql = "DELETE FROM article WHERE id='$id'";
	if(mysql_query($sql)) {
		echo "<script type='text/javascript'> alert('Article Deleted'); </script>";
		header("Location: article.php");
	}	
break;

case 'add':
if(isset($_POST['submit'])) {
$title = $_POST['title'];
$text = $_POST['content'];
	$sql = "INSERT INTO article (articleTitle,articleContent) values ('$title','$text')";
	if(mysql_query($sql)) {
		echo "<script type='text/javascript'> alert('Article Added'); </script>";
		header("Location: article.php");
	}
}
break;

case 'edit':
if(isset($_POST['submit'])) {
$title = $_POST['title'];
$text = $_POST['content'];
	$sql = "UPDATE article SET articleTitle='$title',articleContent='$text' WHERE id='$id'";
	if(mysql_query($sql)) {
		echo "<script type='text/javascript'> alert('Article Updated'); </script>";
		header("Location: article.php");
	}
	}
break;	
}
?>
    Thanks for any help!
    Tags: error inserting data, mysql, php
    • Markus
      Recognized Expert Expert
      • Jun 2007
      • 6092
      #2
      Have a look at SQL Injection and mysql_real_esca pe_string().

        Comment

        • atlanteavila
          New Member
          • Aug 2008
          • 19
          #3
          Hello Markus...Thank you for a speedy reply. I'm a bit confused, where would I put the mysql_real_esca pe_string()?


          Code:
          case 'add': 
if(isset($_POST['submit'])) { 
$title = $_POST['title']; 
$text = $_POST['content']; 
    $sql = "INSERT INTO article (articleTitle,articleContent) values ('$title','$text')";
mysql_real_escape_string($title, $text); 
    if(mysql_query($sql)) { 
        echo "<script type='text/javascript'> alert('Article Added'); </script>"; 
        header("Location: article.php"); 
    } 
} 
break;
          also, do I need to add the magic quotes attribute? If so, would you mind giving me an example of the code to add magic quotes? this is something I havent been able to figure out.

          Thanks!

            Comment

            • Markus
              Recognized Expert Expert
              • Jun 2007
              • 6092
              #4
              No, mysql_real_esca pe_string() will take care of it.

              You need to use mysql_real_esca pe_string() on any data you are inserting into the database before it is inserted.

              Code:
              $example = mysql_real_escape_string( $_POST['example'] );

mysql_query( "INSERT INTO `tbl` VALUES( '{$example}' )";

                Comment

                • atlanteavila
                  New Member
                  • Aug 2008
                  • 19
                  #5
                  Thank you mark that worked!

                    Comment

                    • Markus
                      Recognized Expert Expert
                      • Jun 2007
                      • 6092
                      #6
                      Originally posted by atlanteavila
                      Thank you mark that worked!
                      You're very welcome :D

                      - Markus.

                        Comment

                        Previous template Next
                        Working...