1

I'm adding some html code to a database through a mysql_query. So, a basic query looks like this $qry = "UPDATE Pages SET ".$column."='$value' WHERE id='$id'";

If this is called, an actual query might look like this: $qry = "UPDATE Pages SET content_en='<h1>This is a title</h1>' WHERE id='12'"; However, if the HTML code looks like this: <h1 style='color:red;'>This is a title</h1>, it'll break the query because of the semi-colon. Is there any way to solve this?

User183849481
  • 211
  • 1
  • 6
  • 14
  • 1
    Don't add variables directly to query, escape string. Will encode variables and remove some vulnerabilities. – Justinas Aug 18 '14 at 08:40
  • Prepared statements and sql parameters are the way to go. **Never** build a query dynamically by concatenation - if you remember that concept it will save you a lot of headache in the future. – Germann Arlington Aug 18 '14 at 08:42
  • escape apostrophes around style => \'color: red; \' – giannisf Aug 18 '14 at 08:43

1 Answers1

1

Use mysql escaping function over your content, like that :

$value = mysqli_real_escape_string($value);
blue112
  • 52,634
  • 3
  • 45
  • 54
  • 1
    This is the correct answer, but you have to explain why it solves the problem(escape of single quotes). – GuyT Aug 18 '14 at 08:57