Jump to content

Problems with mysql_real_escape_string


Raiden616

Recommended Posts

Hi, I am trying to make a blog system in php and mysql and just about got it working except for one thing. I need to sanitise the fields, both to prevent against sql injection and to allow the bloggers to use punctuation such as quotes. this is the query code I have so far:

 

 

if($_SERVER["REQUEST_METHOD"] == "POST") {

$post_title = $_POST['posttitle'];

$post_content = $_POST['postcontent'];

$post_content = mysql_real_escape_string($post_content);

$query=mysql_query("INSERT INTO 'blog'('Title','Content') VALUES

 

('$post_title','$post_content')",$connect);

header("Location:index.php?page=afterpost&post=".mysql_insert_id());

 

}

 

I can't see why that isn't working, but when I type something in with a quote in it it just doesn't submit to the database. Without a quote works fine. If I try echo $post_content;, it comes up with backslashes before the quotes so the mysql_real_escape_string seems to be working. What am I doing wrong?

 

Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/220089-problems-with-mysql_real_escape_string/
Share on other sites

Are you sure the connection to the database exists when mysql_real_escape_string() is called? Is error_reporting/display_errors on? Try specifically calling the connection in the function.

mysql_real_escape_string($post_content, $conn);

Hi,

 

The connection is called, but I tried what you said anyway and no luck, it's still misbehaving. Here's the full code (with security data removed of course.

 

<?php

$connect = mysql_connect($host,$username,$password);

$db=mysql_select_db($database,$connect);

 

session_start();

 

if($_SERVER["REQUEST_METHOD"] == "POST") {

$post_title = $_POST['posttitle'];

$post_content = $_POST['postcontent'];

$post_content = mysql_real_escape_string($post_content, $connect);

$query=mysql_query("INSERT INTO 'blog'('Title','Content') VALUES

 

('$post_title','$post_content')",$connect);

header("Location:index.php?page=afterpost&post=".mysql_insert_id());

 

}

?>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.