Raiden616 Posted November 28, 2010 Share Posted November 28, 2010 Hi, I am trying to make a blog system in php and mysql and just about got it working except for one thing. I need to sanitise the fields, both to prevent against sql injection and to allow the bloggers to use punctuation such as quotes. this is the query code I have so far: if($_SERVER["REQUEST_METHOD"] == "POST") { $post_title = $_POST['posttitle']; $post_content = $_POST['postcontent']; $post_content = mysql_real_escape_string($post_content); $query=mysql_query("INSERT INTO 'blog'('Title','Content') VALUES ('$post_title','$post_content')",$connect); header("Location:index.php?page=afterpost&post=".mysql_insert_id()); } I can't see why that isn't working, but when I type something in with a quote in it it just doesn't submit to the database. Without a quote works fine. If I try echo $post_content;, it comes up with backslashes before the quotes so the mysql_real_escape_string seems to be working. What am I doing wrong? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 29, 2010 Share Posted November 29, 2010 Are you sure the connection to the database exists when mysql_real_escape_string() is called? Is error_reporting/display_errors on? Try specifically calling the connection in the function. mysql_real_escape_string($post_content, $conn); Quote Link to comment Share on other sites More sharing options...
Raiden616 Posted November 29, 2010 Author Share Posted November 29, 2010 Hi, The connection is called, but I tried what you said anyway and no luck, it's still misbehaving. Here's the full code (with security data removed of course. <?php $connect = mysql_connect($host,$username,$password); $db=mysql_select_db($database,$connect); session_start(); if($_SERVER["REQUEST_METHOD"] == "POST") { $post_title = $_POST['posttitle']; $post_content = $_POST['postcontent']; $post_content = mysql_real_escape_string($post_content, $connect); $query=mysql_query("INSERT INTO 'blog'('Title','Content') VALUES ('$post_title','$post_content')",$connect); header("Location:index.php?page=afterpost&post=".mysql_insert_id()); } ?> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 29, 2010 Share Posted November 29, 2010 That query never worked, you must have changed it as well. You have single-quotes around the table name and the column names, making them strings instead of table and column names. Quote Link to comment Share on other sites More sharing options...
Raiden616 Posted November 29, 2010 Author Share Posted November 29, 2010 OMG duh! Sorry that is me being totally retarded lol. It works now I removed those quotes. I don't know why I put those there in the first place must have been having a funny five minutes. Thanks very much both of you Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.