Mutley Posted March 22, 2008 Share Posted March 22, 2008 Just a small issue, my form isn't working because there are some bad characters in the content being submitted. I've tried htmlentities() and stripslashes() but it still comes up with errors when I test the echoed SQL. Is there a way to clean it? I will be using HTML in the content boxes so this still needs to work once displayed on the site from the database. <?php $cat_id = ($_POST['cat_id']); $title = ($_POST['title']); $content = ($_POST['content']); $sql = "INSERT INTO blog (cat_id, date, title, content) VALUES ('$cat_id', '', '$title', '$content')"; mysql_query($sql); ?> Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/ Share on other sites More sharing options...
BlueSkyIS Posted March 22, 2008 Share Posted March 22, 2008 $sql = "INSERT INTO blog (cat_id, date, title, content) VALUES ('".mysql_real_escape_string($cat_id)."', '', '".mysql_real_escape_string($title)."', '".mysql_real_escape_string($content)."')"; Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/#findComment-498263 Share on other sites More sharing options...
Orio Posted March 22, 2008 Share Posted March 22, 2008 Try this way: <?php $cat_id = cleanup($_POST['cat_id']); $title = cleanup($_POST['title']); $content = cleanup($_POST['content']); $sql = "INSERT INTO blog (cat_id, date, title, content) VALUES ('$cat_id', '', '$title', '$content')"; mysql_query($sql) or die(mysql_error()."<br><br>".$sql); function cleanup ($value) { if(get_magic_quotes_gpc()) $value = stripslashes($value); $value = htmlentities(mysql_real_escape_string($value)); return $value; } ?> If it doesn't work- what error are you getting? Orio. Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/#findComment-498264 Share on other sites More sharing options...
Mutley Posted March 22, 2008 Author Share Posted March 22, 2008 Thanks Orio, that works but... it displays all the HTML tags when I display it on the website? Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/#findComment-498269 Share on other sites More sharing options...
Mutley Posted March 22, 2008 Author Share Posted March 22, 2008 $sql = "INSERT INTO blog (cat_id, date, title, content) VALUES ('".mysql_real_escape_string($cat_id)."', '', '".mysql_real_escape_string($title)."', '".mysql_real_escape_string($content)."')"; Tried this way, which works, thanks a lot guys! Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/#findComment-498272 Share on other sites More sharing options...
Orio Posted March 22, 2008 Share Posted March 22, 2008 Thanks Orio, that works but... it displays all the HTML tags when I display it on the website? I thought that if you're inserting something into a blog, it should go through htmlentities(). Anyway, the solution you are now using may escape twice so do something like this (much cleaner..): <?php $cat_id = cleanup($_POST['cat_id']); $title = cleanup($_POST['title']); $content = cleanup($_POST['content']); $sql = "INSERT INTO blog (cat_id, date, title, content) VALUES ('$cat_id', '', '$title', '$content')"; mysql_query($sql) or die(mysql_error()."<br><br>".$sql); function cleanup ($value) { if(get_magic_quotes_gpc()) $value = stripslashes($value); $value = mysql_real_escape_string($value); return $value; } ?> Orio. Link to comment https://forums.phpfreaks.com/topic/97373-cleaning-form-text-for-database-insertion/#findComment-498274 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.