Issue adding data from a form

[stuart.cole]

I know this will be simple for many of you - but I have a challenge! Something to do with rushing things probably ...

 

But ...

 

I have written a CMS system to use on my own websites which inputs news from an online form, adds to DB etc ... but adding the news automatically is causing me a challenge at times.

 

My text input fields, where the text is taken from press releases etc quite often have apostrope's (') in the text - but these seem to be causing a problem when it tries to add the info to the DB... the apostrophe's are taken as part of the input coding, rather than just part of the text.

 

I've found a work around where I can change the ' to ` in word and re-paste and that works, but isn't the right way of doing it.

 

So, is there a way to force it to read an apostrophe as text, rather than code?

 

Code used below ...

 

^{<table width="400"><H1> INSERT NEWS HERE:</H1><br /><br />}

^{<form action="insert3.php" method="post">}

^{<tr><td>Heading: </td><td><textarea name="heading" cols="40" rows="2"></textarea></td></tr>}

^{<tr><td>Subhead: </td><td><textarea name="subhead" cols="40" rows="2"></textarea></td></tr>}

^{<tr><td>Main: </td><td><textarea name="main" cols="40" rows="20"></textarea></td></tr>}

^{<tr><td>Weblink: </td><td><input size="30" maxlength="250" type="text" name="weblink" value="http://"></td></tr>}

^{<tr><td>Date: </td><td><input size="30" maxlength="250" type="text" name="date" value="2007-"></td></tr>}

^{<tr><td>Added by: </td><td><select name="added" size="3">}

^{<OPTION VALUE="Laura Cleaver">Laura</OPTION>}

^{<OPTION VALUE="Stuart Cole">Stuart</OPTION>}

^{<OPTION VALUE="Louise Allatt">Louise</OPTION></select></td></tr>}

^{<tr><td>Approved to go live? </td><td><select name="approved" size="2">}

^{<OPTION VALUE="Y">Yes</OPTION>}

^{<OPTION VALUE="N">No</OPTION></select></td></tr>}

^{<tr><td><input type="submit" name="submit" value="Add News"></td></tr>}

^{</form></table>}

 

Insert 3 is here...

 

^<?php

^{$con = mysql_connect("localhost","USERNAME","PASSWORD");}

^{if (!$con)}

 ^{

 ^{die('Could not connect: ' . mysql_error());}

 ^{}mysql_select_db("secureitonline_db1", $con);}

 ^{$sql="INSERT INTO News (Heading, Subhead, Main, Weblink, Date, Added, approved)}

^VALUES

^{('$_POST[heading]','$_POST[subhead]','$_POST[main]','$_POST[weblink]','$_POST[date]','$_POST[added]','$_POST[approved]')";if (!mysql_query($sql,$con))}

 ^{

 ^{die('Error: ' . mysql_error());}

 ^}

^{echo "News Story Added!";}

^{mysql_close($con)}

^?>

[shocker-z]

change your code too

 

<?php
$con = mysql_connect("localhost","USERNAME","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("secureitonline_db1", $con);
  $sql="INSERT INTO News (Heading, Subhead, Main, Weblink, Date, Added, approved)
VALUES
('".$_POST[heading]."','".$_POST[subhead]."','".$_POST['main']."','".$_POST['weblink']."','".$_POST['date']."','".$_POST['added']."','".$_POST['approved']."')";
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "News Story Added!";
mysql_close($con)
?>

 

 

you could do with securing your code a bit more also using mysql_real_escape_string() on all $_POST variables which will escape anything like this which can be a security risk.

 

Regards

Liam