Jump to content

Recommended Posts

I created a form where someone can add their name and a comment and then submit it to my database.
here's the code of the form
 

PHP
<form method="post" action="addcomments_per_student_action.php" enctype="multipart/form-data" style="width: 700px; height: 400px;">

<?php
$x=$_GET['st'];
$result = $log->qry("Select * from students where id=".$x);

$row=mysql_fetch_assoc($result);

echo $row['name'].' - '.$row['surname'];


?>

    <input type="hidden" name="st" value="<?php echo $row['id']; ?>">
    <br><br>

    <label>name</label>
    <input type="text" name="comm" required><br>

    <label>comment</label>
<textarea name="comments" style="width: 600px; heigh: 350px;"></textarea>
    <br>

    <input name="submit" id="submit" value="submit" type="submit" style="width: 150px;"><br>

</form>

and here's the code of the form's action
 

PHP
<?php
require ('logmein.php');
$log = new logmein();

if($log->logincheck($_SESSION['loggedin'],"logon","password","username") == false)    {
        //elenxos egkirotitas sindesis tou xristi sto sistima.An oxi epistrofi stin index me plirofories tou lathous
        
    $log->redirect($log->getHost());
    
}

if($_SESSION['userlevel']!=0)    {

    $log->redirect($log->getHost()."?result=3");

}

$student=$_POST['st'];
$comm=$_POST['comm'];
$comments=$_POST['comments'];


$log->qry("Insert into comments (student,comm,comment) values (".$student.",'".$comm."','".$comments."')");

$log->redirect("http://spoudastirio.com.gr/grades/comments.php");
?>

 


THE PROBLEM:  When someone submits a plain text, it works fine , but where they write ' symbol the file gets an error.

THE ERROR: When i type "here's the game" in the textarea i get this error.



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best game.')' at line 1

My database table is utf8-general ci // text format.

How can i solve it, so there won't be this kind of problems.

That will teach you not to inject unsanitized values from the user directly into your query.  Obviously the inclusion of that quote messes with the overall quoting of the query string and hence you error.

 

Switch to using prepared queries so that your values can be handled properly

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.