Allow special characters in form's texarea after submit
I created a form where someone can add their name and a comment and then submit it to my database.here's the code of the formPHP
View ArticleAllow special characters in form's texarea after submit
You need to escape the $comm variable$comm = mysql_real_escape_string($comm);That allows quotes to be inserted into the table.
View ArticleAllow special characters in form's texarea after submit
And you should probably do the same for $comments as well, since someone might be putting contractions into the commentary.
View ArticleAllow special characters in form's texarea after submit
Also you should escape all strings, not just ones that potentially have ' to avoid other escape character issues, SQL injection, etc.
View ArticleAllow special characters in form's texarea after submit
Antal Daavid wrote:Also you should escape all strings, not just ones that potentially have ' to avoid other escape character issues, SQL injection, etc.Very true.
View ArticleAllow special characters in form's texarea after submit
Thanks a lot donges for the solution, and antal for your suggestion.Solved.
View ArticleAllow special characters in form's texarea after submit
It's a suggestion in the same way that wearing a seat belt is a suggestion. SQL Injection is the #1 web attack and these days the first approach, so if your software is going to be web facing at all,...
View ArticleAllow special characters in form's texarea after submit
It will be a web based but availiable only to a small group of people, so i'm not woried about the sql injection at all. I just tried to be polite, and i actually already knew that my code was prone to...
View ArticleAllow special characters in form's texarea after submit
Even if I am doing a simple internal script I tend towards prepared statements. It is more secure but also much, much cleaner code.
View ArticleAllow special characters in form's texarea after submit
Use named parameters like :st, :comm, :comments in your query, then...$db->prepare($query)->execute($_POST);KISS - keep it stupid simple.
View ArticleAllow special characters in form's texarea after submit
Artistan@ITtrader wrote: Use named parameters like :st, :comm, :comments in your query, then...$db->prepare($query)->execute($_POST);KISS - keep it stupid simple.Be warned of POST...
View Article