0

I have a code for submitting an article which in this form there is a title input and file input for the article file.

but problem is if in the title i write for ex : this is hi's article this article would not submit and will fail. the code for replacing spaces in title is : 

//pereventing spaces for article title
$pdf_file=str_replace(" ", "_", $_FILES['msfile']['name']);

/* define the path to the upload folder */
$destination='../pdf/';
move_uploaded_file($_FILES['msfile']['tmp_name'], $destination.$pdf_file); 


//inserting info into articles
mysql_connect($host,$username,$password)or die("cannot connect");
$selected=mysql_select_db($db_name)or die("cannot select DB");      

$sql1=mysql_query(" INSERT INTO `{$tbl_name}`  (`uname`,`title`,`fname`,`lname`,`email`,`mstitle`,`msfile`,`date`,`status`) 
VALUES ('{$log_row["uname"]}' , '{$log_row["title"]}' , '{$log_row["fname"]}' , '{$log_row["lname"]}' , '{$log_row["email"]}' , '{$_REQUEST['mstitle']}','{$pdf_file}','{$mydate}','Awaiting Processing' )");
$result1=mysql_query($sql1);

any suggestion ?

anonymox
  • 419
  • 1
  • 9
  • 32
  • 1
    I suggest reading on SQL injections. That's exactly why they need to be avoided: not just for Little Bobby Table, but for the innocent apostrophe that can destroy your query – Damien Pirsy Jul 02 '14 at 19:30
  • what @DamienPirsy said. It is the ' breaking your query, look at using prepared statements, or something like `mysqli_real_escape_string` – Doon Jul 02 '14 at 19:32
  • thanks for the respond but i know about sql injection but i need to unblock < ' > in the code because my client's would not accept to block it and they want to write everything in title unfortunately – anonymox Jul 02 '14 at 19:33
  • ...in OP's case, that would be `mysql_real_escape_string()` yet `mysqli_` functions are best, considering the deprecation of `mysql_` functions. – Funk Forty Niner Jul 02 '14 at 19:33
  • @anonymox Your comment shows you don't know enough about SQL injections. I repeat, it's not just the malicious user that tries to drop your user table, it's mainly for being able to use an apostrophe. – Damien Pirsy Jul 02 '14 at 19:35
  • You can also look into `addslashes()` and `stripslashes()` and/or just doing another replace `'` for `\'` - You have many options available at your disposal. Prepared statements work best. – Funk Forty Niner Jul 02 '14 at 19:36
  • so can i change mysql_query to mysql_real_escape_string() and be able to accept < ' > in title ? – anonymox Jul 02 '14 at 19:36
  • It should, give it a try. Yet, use [**`mysqli_*` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) with [**prepared statements**](http://php.net/pdo.prepared-statements). `mysql_` functions are deprecated and will be removed from future PHP releases. – Funk Forty Niner Jul 02 '14 at 19:37
  • you would need to use mysql_real_escape_string to escape all the string values, and then use those values to build your query – Doon Jul 02 '14 at 19:39
  • Thanks for responding, yeah i've been using mysqli in my new codes. but it's an old website and i don't want to try hard on all of the pages it should redesign from the top. i just need to fix this part. – anonymox Jul 02 '14 at 19:41

0 Answers0