0

I Have created a form, which inserts data into a MySQL database. Here are the Form Fields, they are part of a <form> but, i have not displayed the whole form here, just the fields which are creating a problem.

<tr> <td>Top 728x90 As</td><td><textarea name='topad'><?=$r['topad']?></textarea></td</tr>
<tr> <td>Sidebar 250x250 Ad</td><td><textarea name='sidebarad'><?=$r['sidebarad']?></textarea></td></tr>

This part of code processes the input and inserts it into the database.

if(isset($_POST['submit'])) {

    $topad = $_POST['topad'];
    $sidebarad = $_POST['sidebarad'];

    $update = $connection->prepare("UPDATE site SET topad = '$topad' , sidebarad = '$sidebarad' WHERE id=1");
    $update->execute(array());
}

The Problem with this code is, it is not accepting/processing the part of the data involving the <a href="#"> & </a> code. This is not about escaping HTML characters, because all the other HTML tags like <img>,etc are showing as it is, which is what I want.

So, whenever I insert and <a> tag, it just disappears, neither it get's inserted in the database nor it shows up in the form after pressing submit button.

UPDATE: When the link is inserted using Double Quotes, it gets accepted. If I use Single Quotes it is not processed. E.g. <a href="someurl"> will be accepted in the DB, while <a href='someurl'> will not.

Why does this error happen ?

Rohitink
  • 1,154
  • 3
  • 14
  • 21
  • This is because you are using wrong way to substitute variables. You should use `placeholder` and bind param – Shakti Singh Dec 27 '12 at 11:17
  • Why are you preparing it without placeholders. This is as vulnerable to SQL injection as any unsanitized query. Please read [this article](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) before trying to do stuff with a database :) – PeeHaa Dec 27 '12 at 11:20
  • How to use bind param, while updating a database ? How to prepare with Placeholders? – Rohitink Dec 27 '12 at 11:20

1 Answers1

1

The reason is because you are using prepared statement but the values are not parameterized. Try below,

$topad = $_POST['topad'];
$sidebarad = $_POST['sidebarad'];

$update = $connection->prepare("UPDATE site SET topad = :topad , sidebarad = :sidebarad WHERE id=1");
$update->execute(array(':topad' => $topad, ':sidebarad' => $sidebarad));
Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • 1
    Thank You. It Worked. I used to think, just using prepared statement was enough to prevent SQL Injection. Don't think that anymore :) – Rohitink Dec 27 '12 at 11:30