stuart.cole Posted October 3, 2007 Share Posted October 3, 2007 I know this will be simple for many of you - but I have a challenge! Something to do with rushing things probably ... But ... I have written a CMS system to use on my own websites which inputs news from an online form, adds to DB etc ... but adding the news automatically is causing me a challenge at times. My text input fields, where the text is taken from press releases etc quite often have apostrope's (') in the text - but these seem to be causing a problem when it tries to add the info to the DB... the apostrophe's are taken as part of the input coding, rather than just part of the text. I've found a work around where I can change the ' to ` in word and re-paste and that works, but isn't the right way of doing it. So, is there a way to force it to read an apostrophe as text, rather than code? Code used below ... <table width="400"><H1> INSERT NEWS HERE:</H1><br /><br /> <form action="insert3.php" method="post"> <tr><td>Heading: </td><td><textarea name="heading" cols="40" rows="2"></textarea></td></tr> <tr><td>Subhead: </td><td><textarea name="subhead" cols="40" rows="2"></textarea></td></tr> <tr><td>Main: </td><td><textarea name="main" cols="40" rows="20"></textarea></td></tr> <tr><td>Weblink: </td><td><input size="30" maxlength="250" type="text" name="weblink" value="http://"></td></tr> <tr><td>Date: </td><td><input size="30" maxlength="250" type="text" name="date" value="2007-"></td></tr> <tr><td>Added by: </td><td><select name="added" size="3"> <OPTION VALUE="Laura Cleaver">Laura</OPTION> <OPTION VALUE="Stuart Cole">Stuart</OPTION> <OPTION VALUE="Louise Allatt">Louise</OPTION></select></td></tr> <tr><td>Approved to go live? </td><td><select name="approved" size="2"> <OPTION VALUE="Y">Yes</OPTION> <OPTION VALUE="N">No</OPTION></select></td></tr> <tr><td><input type="submit" name="submit" value="Add News"></td></tr> </form></table> Insert 3 is here... <?php $con = mysql_connect("localhost","USERNAME","PASSWORD"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("secureitonline_db1", $con); $sql="INSERT INTO News (Heading, Subhead, Main, Weblink, Date, Added, approved) VALUES ('$_POST[heading]','$_POST[subhead]','$_POST[main]','$_POST[weblink]','$_POST[date]','$_POST[added]','$_POST[approved]')";if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "News Story Added!"; mysql_close($con) ?> Quote Link to comment Share on other sites More sharing options...
shocker-z Posted October 3, 2007 Share Posted October 3, 2007 change your code too <?php $con = mysql_connect("localhost","USERNAME","PASSWORD"); if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("secureitonline_db1", $con); $sql="INSERT INTO News (Heading, Subhead, Main, Weblink, Date, Added, approved) VALUES ('".$_POST[heading]."','".$_POST[subhead]."','".$_POST['main']."','".$_POST['weblink']."','".$_POST['date']."','".$_POST['added']."','".$_POST['approved']."')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "News Story Added!"; mysql_close($con) ?> you could do with securing your code a bit more also using mysql_real_escape_string() on all $_POST variables which will escape anything like this which can be a security risk. Regards Liam Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.