submit textarea into phpmyadmin issue

Question

I want to submit a text area where user can enter anything or any special characters with the same text format as user input into the text area. Like spaces, new line and tab at the start of the new line. I have one the below codes but when the user input contain ',",(,) it showing the sqlquery error. Please let me know how to insert text like forum into the database.

html is

<textarea class="noticearea" name="notice_area" id="notice_area" ></textarea>

php is

$noticeinsert = mysql_query("INSERT INTO notice_board(notice_id, notice_area, notice_dnt) VALUES ('$notice_id', '$notice_area', '$notice_dnt')");

please let me know how to submit any enter value into the database. Also, is it safe to send html or php codes or speicial char entered by users into database ?

this kind of embedding string from variables that are filled with user input content makes you potentially vulnerable to sql injections. — DrCopyPaste, Sep 13 '13 at 10:07
You need to sanitize and escape your inputs. Look into prepared statements. — Ben Fortune, Sep 13 '13 at 10:07
In this case `mysql_real_escape_string()`, `stripslashes()` etc, but you should look into mysqli/PDO. — Ben Fortune, Sep 13 '13 at 10:10
#ben fortune, i saw the above comment that embedding string from varaible are vulnerable if i use mysql_real_escape_string it is also the same problem ?? — user2642907, Sep 13 '13 at 10:17
yes vulnerability remains, take a look here http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string to get around this use parametrized/prepared statements — DrCopyPaste, Sep 13 '13 at 11:39

score 0 · Answer 1 · answered Sep 13 '13 at 10:03

0

Change :

 <textarea class="noticearea" name="notice_area" id="notice_area" </textarea>

To:

  <textarea class="noticearea" name="notice_area" id="notice_area"></textarea>

answered Sep 13 '13 at 10:03

trrrrrrm

11,362
25
85
130

sorry its just a mistake here i entered the code manually i edited it – user2642907 Sep 13 '13 at 10:05

score 0 · Accepted Answer · answered Sep 13 '13 at 10:04

0

You forgot $_POST.

Change

$noticeinsert = mysql_query("INSERT INTO notice_board(notice_id, notice_area, notice_dnt) VALUES ('$notice_id', '$notice_area', '$notice_dnt')");

To

$noticeinsert = mysql_query("INSERT INTO notice_board(notice_id, notice_area, notice_dnt) VALUES ('$_POST["notice_id"]', '$_POST["notice_area"]', '$_POST["notice_dnt"]')");

But check the $_POST variables, because of sql-injection.

answered Sep 13 '13 at 10:04

q0re

1,401
19
32

this all variables in the values are cming from $_post only – user2642907 Sep 13 '13 at 10:07
this is my post variable $notice_area = $_POST["notice_area"]; – user2642907 Sep 13 '13 at 10:08
Show us your database schema and more code pls ;) i cannot find a error in the code above.. – q0re Sep 13 '13 at 10:09
This is the only code, when user enter ' in the text area it showing error because it is taking ' as the syntax of the mysql – user2642907 Sep 13 '13 at 10:11
use `$notice_area = mysql_real_escape_string($_POST['notice_area']);` before insert.. – q0re Sep 13 '13 at 10:11
The ' interrupts the SQL statement. – q0re Sep 13 '13 at 10:12
correct this works... thanks you ... is it safe to enter all the html or special char into the database – user2642907 Sep 13 '13 at 10:15
No Problem ;) You can read more information here: http://php.net/manual/de/function.mysql-real-escape-string.php – q0re Sep 13 '13 at 10:17

score 0 · Answer 3 · answered Sep 13 '13 at 10:05

0

you are missing > in your html file

answered Sep 13 '13 at 10:05

Guru

621
1
4
12

sorry its just a mistake here i entered the code manually i edited it – user2642907 Sep 13 '13 at 10:06
first of all check the all the values are getting or not? – Guru Sep 13 '13 at 10:12

submit textarea into phpmyadmin issue

3 Answers3