tsuby Posted June 30, 2013 Share Posted June 30, 2013 Ok, so I'm trying to add an article(title, content, tags) to my database. Each of those field is stored in POST. When i use a ' character in any of those fields, the query fails. (I previously used mysqli_real_escape_string on them) How should I filter the input in order for everything to be safe and for me to be able to use ' in those fields? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 30, 2013 Share Posted June 30, 2013 Can we see the query statement? Quote Link to comment Share on other sites More sharing options...
tsuby Posted June 30, 2013 Author Share Posted June 30, 2013 (edited) Yes. The query for the tags is another one, but I don't have any problems with that as I don't need nonalphanumeric characters in the tags. $ok1 = mysqli_query($connection, "INSERT INTO blog_posts(title, text, date_posted) VALUES('$title', '$text', '$datestamp')"); Edited June 30, 2013 by tsuby Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 1, 2013 Share Posted July 1, 2013 assign the query string to a variable and then echo that var for us Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted July 1, 2013 Share Posted July 1, 2013 this isn't a problem with filtering. string data being put into a query must either be escaped using your database driver's escape function or you need to use prepared queries. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.