tsuby Posted June 30, 2013 Share Posted June 30, 2013 Ok, so I'm trying to add an article(title, content, tags) to my database. Each of those field is stored in POST. When i use a ' character in any of those fields, the query fails. (I previously used mysqli_real_escape_string on them) How should I filter the input in order for everything to be safe and for me to be able to use ' in those fields? Link to comment https://forums.phpfreaks.com/topic/279733-post-filtering-wo-__escape_string/ Share on other sites More sharing options...
ginerjm Posted June 30, 2013 Share Posted June 30, 2013 Can we see the query statement? Link to comment https://forums.phpfreaks.com/topic/279733-post-filtering-wo-__escape_string/#findComment-1438711 Share on other sites More sharing options...
tsuby Posted June 30, 2013 Author Share Posted June 30, 2013 Yes. The query for the tags is another one, but I don't have any problems with that as I don't need nonalphanumeric characters in the tags. $ok1 = mysqli_query($connection, "INSERT INTO blog_posts(title, text, date_posted) VALUES('$title', '$text', '$datestamp')"); Link to comment https://forums.phpfreaks.com/topic/279733-post-filtering-wo-__escape_string/#findComment-1438712 Share on other sites More sharing options...
ginerjm Posted July 1, 2013 Share Posted July 1, 2013 assign the query string to a variable and then echo that var for us Link to comment https://forums.phpfreaks.com/topic/279733-post-filtering-wo-__escape_string/#findComment-1438781 Share on other sites More sharing options...
mac_gyver Posted July 1, 2013 Share Posted July 1, 2013 this isn't a problem with filtering. string data being put into a query must either be escaped using your database driver's escape function or you need to use prepared queries. Link to comment https://forums.phpfreaks.com/topic/279733-post-filtering-wo-__escape_string/#findComment-1438834 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.