wrathican Posted June 15, 2007 Share Posted June 15, 2007 hi i want my users to be able to insert html into my mysql database, is this possible? and how would i go about doing it, or could you point me in a direction that would tell me? thanks Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/ Share on other sites More sharing options...
per1os Posted June 15, 2007 Share Posted June 15, 2007 Just like any normal insert statement, just make sure the column type is big enough to house it like TEXT or LONGTEXT etc. INSERT INTO my_table (`id`, `html`) VALUES (1, '<html><head></head><body><p>test<br />another test<script>alert(\'a third test\');</script><br />and a final <a href="http://www.phpfreaks.com">PHPFreakS</a><br /></body></html>'); No problem with that at all. Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/#findComment-275332 Share on other sites More sharing options...
wrathican Posted June 15, 2007 Author Share Posted June 15, 2007 what about punctuation? such as ?!"'@% and such things that are used in php will they render correctly? so if my user wants something like "That's my boy! Or is it?" the punctuation would not effect the mysql query or php code? Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/#findComment-275340 Share on other sites More sharing options...
per1os Posted June 15, 2007 Share Posted June 15, 2007 It will effect the mysql query as mysql uses the single quotes to seperate out literal data. But luckily for you there is www.php.net/mysql_real_escape_string to correct for that issue, but be aware of www.php.net/get_magic_quotes_gpc You could always use this function (as long as it is mysql and the connection is already started for mysql) to "sanitize" the data for entry into MySQL <?php /* usage: $data = real_escape($_POST['data']); */ function real_escape($string) { return get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes ($string)):mysql_real_escape_string($string); } ?> Which will basically santize the data correctly for entry into a database. And do not worry about the @ % < ? etc, as PHP sees that as literal when pulled from a database, it will not automatically parse it. Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/#findComment-275343 Share on other sites More sharing options...
wrathican Posted June 21, 2007 Author Share Posted June 21, 2007 right, so say i have the values i want to insert into the database from a form. there are three values, one that the user does touch as it is hidden and is used for identifying which table row to edit. the other two have been turned into variables $title and $description i want to escape the data so it is made safe to insert into a DB. how would i do it? Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/#findComment-279360 Share on other sites More sharing options...
wrathican Posted June 21, 2007 Author Share Posted June 21, 2007 any help with this? i do believe it is only escaping that needs to be done but im a bit confused on how to do it Quote Link to comment https://forums.phpfreaks.com/topic/55725-inserting-html-into-mysql-is-it-possible/#findComment-279525 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.