sshaham1 Posted January 16, 2011 Share Posted January 16, 2011 I'm designing a website that takes user input from in a <textarea></textarea> and enters the input into a database. Everything works besides if the user has double quotes (") in his/her message. (the name of the table that I want to add to is alluserposts) What i have so far is the following: from index.php: <form action="insert2.php" method="post"><textarea name="user_post" rows="6" cols="35"></textarea></form> from insert2.php: mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $_POST['user_post'] . "\")" ,$db) or die(mysql_error($db)); I want the user to be able to input any character. How can i do that? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 16, 2011 Share Posted January 16, 2011 If quotes are breaking the insert, you're also open to SQL Injection attacks. You need to be validating and sanitizing all incoming data by validating / escaping / casting it. Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted January 16, 2011 Share Posted January 16, 2011 For reference. Everyone working with php should at least read the php manual, or relative content with what they are doing. http://www.php.net/manual/en/index.php Here's just the string functions http://www.php.net/manual/en/ref.strings.php for any user input, don't use directly any superglobals in mysql queries, Those would be like $_POST,$_GET,$_REQUEST and so on. http://php.net/manual/en/language.variables.superglobals.php always escape them first http://php.net/manual/en/function.mysql-real-escape-string.php use for cleaning the input the following http://php.net/manual/en/function.htmlentities.php or http://www.php.net/manual/en/function.htmlspecialchars.php to strip the slashes http://www.php.net/manual/en/function.stripslashes.php And as Pikachu2000 said, you would be open to all types of attacks not taking the above measures. I guarantee you would get hacked,deleted databases and whatnot fairly fast. The biggest rule is "Never Trust User Input", not ever. You just can't allow every character. Quote Link to comment Share on other sites More sharing options...
sshaham1 Posted January 16, 2011 Author Share Posted January 16, 2011 is this still vulnerable to SQL injections? $data = $_POST['user_post']; $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $data . "\")" ,$db) or die(mysql_error($db)); Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 16, 2011 Share Posted January 16, 2011 trim() is fine to use. You don't want to arbitrarily use stripslashes(); first check to see if magic_quotes_gpc() is on. There's no need to use htmlspecialchars() until you display the data. So a very basic escaping routine for string type data would be like this. You can also place this in a function wrapper, if desired. require_once('your_db_connect_script.php'); // must be connected before using mysql_real_escape_string() $data = trim($_POST['user_post']); if( get_magic_quotes_gpc() ) { $data = mysql_real_escape_string(stripslashes($data)); } else { $data = mysql_real_escape_string($data); } //$data can now be used in the query string. Note that this doesn't validate that the incoming data is actually of the type you want it to be. That needs to be handled through validation routines.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.