PHP Insert into MySQL table text with special characters?

Question

I have very strange problem.

I have an HTML post from which is sending data to MySQL database. Here is my HTML from:

<form action="update_video_ads.php" method="post">
<textarea name="code" style="width:400px;height:100px;">[adminblk.code;block=table]</textarea>
<input type="submit" value="Update Information" name="submit">
</form>

When i type normal characters like ASDASDAS GASDG SDAD and hit submit it's updating the MySQL table, but the problem comes when i try to submit text in the textarea like this <img src="asdasdas.jpg">

Here is my PHP part of code:

$turn = addslashes($_POST["turn"]);
$seconds = addslashes($_POST["seconds"]);
$code = $_POST["code"];

            $register_sql="UPDATE videoads SET `enabled`='$turn',`seconds`='$seconds',`code`='".mysql_real_escape_string($_POST["code"])."' WHERE id='1'";          
            $insertAccount = mysql_query($register_sql);

So why i can not Update the field when i type special characters? When i type normal message it's working okey.

My DB table code is setted to text formation.

Thanks in advance!

What's the URL to this page? I haven't had fun with SQL injection in awhile. But seriously, if receiving data from the client never trust it. Please use `mysqli` and `prepared statements` . — Ohgodwhy, Nov 14 '13 at 20:45
I suspect the problem isn't with the database, but with how you display the data when you retrieve it. Do you want to see the literal HTML tags, or do you want to see the image? — Barmar, Nov 14 '13 at 20:50
You should call `mysql_real_escape_string`, not `addslashes`, for all the fields, not just `code`. — Barmar, Nov 14 '13 at 20:51
I want to see the whole text what is insertes with all brackets, commas and etc.. — user2987591, Nov 14 '13 at 20:51
The problem is that it's posting blank space when i use special characters. I don't have problem with displaying the inserted data. I have problem with INSERTING the data to DB when it contains special characters espcially `< " > ' ` — user2987591, Nov 14 '13 at 20:55

score 0 · Answer 1 · edited May 23 '17 at 12:28

0

It's not working because your code is vulnerable to injection, as others have pointed out. See this answer for an example of how that could work. Your database is vulnerable to getting hosed, stolen, or both.

Edit: use MySQLi or PDO. Pick one of those and work your way through a tutorial, then come back if you get stuck.

edited May 23 '17 at 12:28

Community

1
1

answered Nov 14 '13 at 20:55

elixenide

44,308
16
74
100

Read the manual; see the links in my answer. Also, you don't have fields named `turn` or `seconds` in your HTML above. If those are being created on the fly by JavaScript or something, that could also be the problem. – elixenide Nov 15 '13 at 02:46

PHP Insert into MySQL table text with special characters?

1 Answers1