ianhaney Posted October 30, 2012 Share Posted October 30, 2012 Hello I have got a feedback form on my website that when a customer writes a testimonial it gets automatically added to my testimonials.php page but have noticed that if a customers writes the word can't for example, the testimonial is not displayed on the website and is not being added to the database table either due to the character ' in the word betwen the n and t and have found out it is to do with the following line I think $query = "insert into testimonials(name,testimonial)values('$name','$testimonial')"; How would I change that line or insert a bit of coding so that characters like ' and others are displayed when words that have them characters in are added to the database table Kind regards Ian Quote Link to comment Share on other sites More sharing options...
Christian F. Posted October 30, 2012 Share Posted October 30, 2012 Read up on mysql_real_escape_string () (or Prepared Statements with MySQLI), you can find it in the PHP manual. Your scripts are currently wide open to SQL injection attacks, and you need to read up on form submissions security. More specifically output escaping and input validation. Sverre H. Huseby's "Innocent Code" is a very good book on this subject. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.