fragge Posted September 2, 2008 Share Posted September 2, 2008 Ok so I've written a PHP CMS for my site with a front-end interface for adding news articles (Title, Date and Text). I want to be able to insert characters such as ' and all the usual HTML stuff, without allowing for SQL injection - is there a way pass the single quotes through without letting them break the INSERT query and thus leaving my app wide open? Forums seem to do it just fine, so I'm sure there's a very simple answer like mysql_real_escape or something? Don't know what half of them actually do Edit: Did a little looking around, used mysql_real_escape_string on all values, then stripslashes() for the output - worked a treat. Link to comment https://forums.phpfreaks.com/topic/122331-solved-mysql-inserting-html-chars/ Share on other sites More sharing options...
fenway Posted September 2, 2008 Share Posted September 2, 2008 Usually this is a mess because magic quotes are often on, too. Link to comment https://forums.phpfreaks.com/topic/122331-solved-mysql-inserting-html-chars/#findComment-631889 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.