By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,830 Members | 2,271 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,830 IT Pros & Developers. It's quick & easy.

mysql_real_escape_string/htmlentities issue

P: n/a
<?php
//MAKE IT SAFE
$chunk = $_POST['foo'];
$title = $_POST['foo1'];
$url = $_POST['foo2'];
$tags = $_POST['foo3'];
$user = $_POST['foo4'];

$safe_chunk = mysql_real_escape_string(htmlentities($chunk));
$safe_title = mysql_real_escape_string(htmlentities($title));
$safe_url = mysql_real_escape_string(htmlentities($url));
$safe_tags = mysql_real_escape_string(htmlentities($tags));
$safe_user = mysql_real_escape_string(htmlentities($user));

mysql_query("INSERT INTO chunks VALUES ('$safe_chunk', '$safe_title',
'$safe_url', '$safe_tags', '$safe_user', CURDATE(), '')");

Feb 18 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
I guess an explanation is in order! The problem is that the values
aren't put in the database. I just get blank fields instead.

Feb 18 '07 #2

P: n/a
ma*****@gmail.com wrote:
<?php
//MAKE IT SAFE
$chunk = $_POST['foo'];
$title = $_POST['foo1'];
$url = $_POST['foo2'];
$tags = $_POST['foo3'];
$user = $_POST['foo4'];

$safe_chunk = mysql_real_escape_string(htmlentities($chunk));
$safe_title = mysql_real_escape_string(htmlentities($title));
$safe_url = mysql_real_escape_string(htmlentities($url));
$safe_tags = mysql_real_escape_string(htmlentities($tags));
$safe_user = mysql_real_escape_string(htmlentities($user));

mysql_query("INSERT INTO chunks VALUES ('$safe_chunk', '$safe_title',
'$safe_url', '$safe_tags', '$safe_user', CURDATE(), '')");
First of all, you shouldn't use htmlentities here. That's for
displaying the data, not storing it in the database. Rather, use it
after retrieving the data but before displaying it.

Next question is - what's in the $_POST array? Try

echo "<pre>\n";
print_r($_POST);
echo "</pre>\n";

Finally, what's the result from mysql_query? ALWAYS check the result of
a mysql call (or any other external call, for that matter). If it is
false, display the error with mysql_error().
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 18 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.