wright67uk Posted January 5, 2013 Share Posted January 5, 2013 In the basic form below, how can I prevent an sql error if a user decides to use ' or " ? Is this where I should be using addslashes? I still would like words such as (I'm) to appear in the php echo below. <form method="get" action="editabout.php" style="border:0px" /><br /> <input name="title" class="title" readonly="readonly" value="about:" /><br /> <textarea name="about" class="aboutme"><?php echo $about; ?></textarea><br /> <input type="submit" name="submit" value="Save Change"/> </form> editabout.php <?php session_start(); include 'connectionhere.php'; $user_id = $_SESSION['user_id']; $about = $_GET['about']; $sql = "UPDATE registration SET about='$about' WHERE user_id='$user_id'"; mysql_query($sql) or die (mysql_error()); header ("Location: profile.php"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/272720-escaping-and-from-sql-query-but-still-echo-and/ Share on other sites More sharing options...
bashy Posted January 5, 2013 Share Posted January 5, 2013 (edited) You're $_GET'ing the "about" text? You want $_POST['about'], not sure why you'd want to send that data via the URL. For the SQL injection nightmare with that code, secure it with the below suggestion. You should be looking at using different SQL functions, mysql_* PHP functions have been deprecated: https://wiki.php.net...sql_deprecation Use prepared statements explained in this thread: http://forums.phpfre...ion-protection/ Edited January 5, 2013 by bashy Quote Link to comment https://forums.phpfreaks.com/topic/272720-escaping-and-from-sql-query-but-still-echo-and/#findComment-1403350 Share on other sites More sharing options...
50r Posted January 5, 2013 Share Posted January 5, 2013 I dont understand the question. are you asking why the " still show up in the echoed string from the database even though it was escaped on insert? if thats the question then the answer is escaped values are handled differently depending on a dbms that you are using. but if you escape a string, you are telling the dtatabase not to use the " for sql execution rather egnore them and save the string as a normal string. thats why when you sometimes echo an escaped string from a database, it will display with the " on. the escape function dont strip the " but does inform the database as i have explained above. thanks. Quote Link to comment https://forums.phpfreaks.com/topic/272720-escaping-and-from-sql-query-but-still-echo-and/#findComment-1403423 Share on other sites More sharing options...
scootstah Posted January 5, 2013 Share Posted January 5, 2013 Is this where I should be using addslashes? You shouldn't be using addslashes for escaping database queries. Use mysql_real_escape_string instead. Actually, you should be using the mysqli_* or PDO libraries. mysql_* is deprecated and oldschool. Quote Link to comment https://forums.phpfreaks.com/topic/272720-escaping-and-from-sql-query-but-still-echo-and/#findComment-1403428 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.