1

I want to run this:

UPDATE users SET about="$about" ;

but when my $about contains =, the script makes a mistake and do something like this:

$about="<img src=somevalue.jpg />";

The script adds this in the database:

<img src

and nothing more.

John Woo
  • 258,903
  • 69
  • 498
  • 492
Людмил Маринов
  • 11
  • 1

3 Answers3

2

try it by using double single quotes.

$about = '<img src=somevalue.jpg />';
$query = "UPDATE users SET about='$about'";

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • Again the same problem occurs but thank you. I tried to do something else - just not to use but to use a function img($src){ echo "";} but when i row the content of the table cell the function does not work. – Людмил Маринов Mar 03 '13 at 16:35
0

This is called 'sql injection'. You have to take care of that anyway, so google it.

You have to escape all input you want to use inside statements, anything can happen otherwise. Best is not to use statements constructed by simply including variable content, but use a better engine. Take a look at PDO and the way it works. You "prepare" a statement and hand over parameters as an array. PDO takes care to cleanly escape as required. Much safer that way.

arkascha
  • 41,620
  • 7
  • 58
  • 90
0

The issue is with putting quotes around string. I'm not very familiar with how php replaces variables in strings but you can try following for MS SQL server:

Set about ="'$about'"

TheVillageIdiot
  • 40,053
  • 20
  • 133
  • 188