tupakgolqm Posted April 29, 2007 Share Posted April 29, 2007 Hello, I'm trying to make a simple message system for me and my buddies. We'll be posting mostly php code and I am having trouble with escaping / inserting in mysql / and showing back the posts. Here are my main functions: function insert_post($login, $post) { $connection = connect_to_db(); if(get_magic_quotes_gpc()) { $insert_post = stripslashes($post); } else { $insert_post = $post; } $insert_query = 'INSERT into forum(login, date, post) VALUES("'.$login.'", NOW(), "'.mysql_real_escape_string($insert_post, $connection).'")'; $res = mysql_query($insert_query, $connection); close_connexion($connection); return $res; } and function show_forum_posts() { $connection = connect_to_db(); $query = 'SELECT * FROM forum'; $result = mysql_query($query, $connection); $result_table = '<table border=0 width=100% cellspacing=10 cellpadding=5 align=center> <tr> <td><b>login</b></td><td><b>date</b></td><td><b>post</b></td> </tr>'; while ( $tab1 = mysql_fetch_assoc($result) ) { $result_table .= '<tr> <td><i>'.$tab1['login'].'</i></td> <td><i>'.$tab1['date'].'</i></td> <td bgcolor=E5E5E5>'.$tab1['post'].'</td> </tr>'; } $result_table .= '</table>'; close_connexion($connection); return $result_table; } It works fine when the posts don't have any special characters. I really wasn't able to find any good docs on the subject, please help. Thanks p.s. I can't use the filter() functions, because they are not supported by my provider. Link to comment https://forums.phpfreaks.com/topic/49190-solved-escaping-user-inputphp-code-help/ Share on other sites More sharing options...
trq Posted April 29, 2007 Share Posted April 29, 2007 Ide use [ur=http://php.net/mysql_real_escape_string]mysql_real_escape_string[/url] to do the inserting. Then maybe htmlentities before you display your data. You might also put your data within <pre></pre> tags to help keep them nice and neat. Link to comment https://forums.phpfreaks.com/topic/49190-solved-escaping-user-inputphp-code-help/#findComment-241028 Share on other sites More sharing options...
tupakgolqm Posted April 29, 2007 Author Share Posted April 29, 2007 I was already using mysql_real_escape_string. When I added htmlentities, it worked. The only missing thing is the newline characters. Modified: function show_forum_posts() { $connection = connect_to_db(); $query = 'SELECT * FROM forum'; $result = mysql_query($query, $connection); $result_table = '<table border=0 width=100% cellspacing=10 cellpadding=5 align=center> <tr> <td><b>login</b></td><td><b>date</b></td><td><b>post</b></td> </tr>'; while ( $tab1 = mysql_fetch_assoc($result) ) { $result_table .= '<tr> <td><i>'.$tab1['login'].'</i></td> <td><i>'.$tab1['date'].'</i></td> <td bgcolor=E5E5E5>'.htmlentities($tab1['post']).'</td> </tr>'; } $result_table .= '</table>'; close_connexion($connection); return $result_table; } Thanks man! Link to comment https://forums.phpfreaks.com/topic/49190-solved-escaping-user-inputphp-code-help/#findComment-241031 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.