Jump to content

Allow special characters in form's texarea after submit

yDelco

By yDelco
in PHP Coding Help

 Share

Recommended Posts

yDelco Newbie

yDelco

Posted
Posted

I created a form where someone can add their name and a comment and then submit it to my database.
here's the code of the form
 

PHP
<form method="post" action="addcomments_per_student_action.php" enctype="multipart/form-data" style="width: 700px; height: 400px;">

<?php
$x=$_GET['st'];
$result = $log->qry("Select * from students where id=".$x);

$row=mysql_fetch_assoc($result);

echo $row['name'].' - '.$row['surname'];


?>

    <input type="hidden" name="st" value="<?php echo $row['id']; ?>">
    <br><br>

    <label>name</label>
    <input type="text" name="comm" required><br>

    <label>comment</label>
<textarea name="comments" style="width: 600px; heigh: 350px;"></textarea>
    <br>

    <input name="submit" id="submit" value="submit" type="submit" style="width: 150px;"><br>

</form>

and here's the code of the form's action
 

PHP
<?php
require ('logmein.php');
$log = new logmein();

if($log->logincheck($_SESSION['loggedin'],"logon","password","username") == false)    {
        //elenxos egkirotitas sindesis tou xristi sto sistima.An oxi epistrofi stin index me plirofories tou lathous
        
    $log->redirect($log->getHost());
    
}

if($_SESSION['userlevel']!=0)    {

    $log->redirect($log->getHost()."?result=3");

}

$student=$_POST['st'];
$comm=$_POST['comm'];
$comments=$_POST['comments'];


$log->qry("Insert into comments (student,comm,comment) values (".$student.",'".$comm."','".$comments."')");

$log->redirect("http://spoudastirio.com.gr/grades/comments.php");
?>

 


THE PROBLEM:  When someone submits a plain text, it works fine , but where they write ' symbol the file gets an error.

THE ERROR: When i type "here's the game" in the textarea i get this error.



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best game.')' at line 1

My database table is utf8-general ci // text format.

How can i solve it, so there won't be this kind of problems.

Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

That will teach you not to inject unsanitized values from the user directly into your query.  Obviously the inclusion of that quote messes with the overall quoting of the query string and hence you error.

 

Switch to using prepared queries so that your values can be handled properly

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.