By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
464,718 Members | 1,205 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 464,718 IT Pros & Developers. It's quick & easy.

Inserting text with quotes in to MYSQL

P: 19
Hello all,

I have a problem with inserting text with quotes, or html code in to a MYSql Database. I've been trying to create my own content management system, and unfortunately I've come accross a problem, the script below works perfectly if I'm not inserting any quotes (" ") or html tags. I'm wondering if I'm doing something wrong here? The field type where all of the content will go was set up as a blob type.

I have the following PHP code:

Expand|Select|Wrap|Line Numbers
  1. <?php 
  2. $conn = connect();
  3. $action = $_GET['a'];
  4. $id = $_GET['id'];
  5. switch($action) {
  6. case 'delete':
  7.     $sql = "DELETE FROM article WHERE id='$id'";
  8.     if(mysql_query($sql)) {
  9.         echo "<script type='text/javascript'> alert('Article Deleted'); </script>";
  10.         header("Location: article.php");
  11.     }    
  12. break;
  13.  
  14. case 'add':
  15. if(isset($_POST['submit'])) {
  16. $title = $_POST['title'];
  17. $text = $_POST['content'];
  18.     $sql = "INSERT INTO article (articleTitle,articleContent) values ('$title','$text')";
  19.     if(mysql_query($sql)) {
  20.         echo "<script type='text/javascript'> alert('Article Added'); </script>";
  21.         header("Location: article.php");
  22.     }
  23. }
  24. break;
  25.  
  26. case 'edit':
  27. if(isset($_POST['submit'])) {
  28. $title = $_POST['title'];
  29. $text = $_POST['content'];
  30.     $sql = "UPDATE article SET articleTitle='$title',articleContent='$text' WHERE id='$id'";
  31.     if(mysql_query($sql)) {
  32.         echo "<script type='text/javascript'> alert('Article Updated'); </script>";
  33.         header("Location: article.php");
  34.     }
  35.     }
  36. break;    
  37. }
  38. ?>
Thanks for any help!
Mar 26 '09 #1
Share this Question
Share on Google+
5 Replies

Markus
Expert 5K+
P: 6,050
Have a look at SQL Injection and mysql_real_escape_string().
Mar 26 '09 #2

P: 19
Hello Markus...Thank you for a speedy reply. I'm a bit confused, where would I put the mysql_real_escape_string()?


Expand|Select|Wrap|Line Numbers
  1. case 'add': 
  2. if(isset($_POST['submit'])) { 
  3. $title = $_POST['title']; 
  4. $text = $_POST['content']; 
  5.     $sql = "INSERT INTO article (articleTitle,articleContent) values ('$title','$text')";
  6. mysql_real_escape_string($title, $text); 
  7.     if(mysql_query($sql)) { 
  8.         echo "<script type='text/javascript'> alert('Article Added'); </script>"; 
  9.         header("Location: article.php"); 
  10.     } 
  11. break; 
also, do I need to add the magic quotes attribute? If so, would you mind giving me an example of the code to add magic quotes? this is something I havent been able to figure out.

Thanks!
Mar 26 '09 #3

Markus
Expert 5K+
P: 6,050
No, mysql_real_escape_string() will take care of it.

You need to use mysql_real_escape_string() on any data you are inserting into the database before it is inserted.

Expand|Select|Wrap|Line Numbers
  1. $example = mysql_real_escape_string( $_POST['example'] );
  2.  
  3. mysql_query( "INSERT INTO `tbl` VALUES( '{$example}' )";
  4.  
Mar 26 '09 #4

P: 19
Thank you mark that worked!
Mar 28 '09 #5

Markus
Expert 5K+
P: 6,050
@atlanteavila
You're very welcome :D

- Markus.
Mar 28 '09 #6

Post your reply

Sign in to post your reply or Sign up for a free account.