farnoise Posted September 3, 2010 Share Posted September 3, 2010 Hi All, I'm trying to insert a HTML code into one of the fileds so when you load the page it reads that code and shows you the picture that code is pointing you as you can see below but the problem is I have too many " and ' s so PHP wont pass it. $name = $_POST['name']; $title = $_POST['title']; $ext = $_POST['ext']; $cell = $_POST['cell']; $sec = $_POST['sec']; $emp = $_POST['emp']; $con = mysql_connect("localhost","root","PA55ss"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("movedb", $con); $sql="INSERT INTO sheet1sa (ext, F2, cell, name, dep, F6, empno) VALUES ('$ext', '$sec', '$cell', '$name', '$dep', '<img src='./pics/$empno.jpg' width="80" height='90' />", '$empno')"; BTW i need to make this code so it takes the "empno" value and insert it into that code before .JPG so when browser reads my database it will read it as "./pics/777788.JPG" Thanks for your help Link to comment https://forums.phpfreaks.com/topic/212452-inserting-or-into-mysql/ Share on other sites More sharing options...
muzzs Posted September 3, 2010 Share Posted September 3, 2010 Hi, I am not sure what your problem is, but to fix the SQL so that PHP parses it correctly you have to use the backslash (\) in front of any " you use in the string so that PHP doesn't see it as the end of the string. A fixed version looks like the following: $sql="INSERT INTO sheet1sa (ext, F2, cell, name, dep, F6, empno) VALUES ('$ext', '$sec', '$cell', '$name', '$dep', '<img src='./pics/$empno.jpg' width=\"80\" height='90' />', '$empno')"; Hope that helps! Link to comment https://forums.phpfreaks.com/topic/212452-inserting-or-into-mysql/#findComment-1106896 Share on other sites More sharing options...
Pikachu2000 Posted September 3, 2010 Share Posted September 3, 2010 You should not be placing unsanitized, user supplied, form data into a query string. Use mysql_real_escape_string() for all string type data, and cast numeric data to the correct data type such as, for example, $var = (int) $_POST['integer']; for integer types before allowing it in the query. You should also be validating that the form has been submitted then validating the fields, at least to make sure that any required fields are completed, otherwise, you'll end up with a blank record in the DB every time the script runs and the form data is not present. Link to comment https://forums.phpfreaks.com/topic/212452-inserting-or-into-mysql/#findComment-1106897 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.