0

Here is the code I am using

if (!empty($_REQUEST['content'])&&!empty($_REQUEST['title'])&&!empty($_REQUEST['writer'])) {
$title = $_POST['title'];
$content = $_POST['content'];
$writer = $_POST['writer'];
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$pure_content = $purifier->purify($content);
$entity_content = htmlentities($pure_content);
$entity_content = mysql_real_escape_string($entity_content);
mysql_query("INSERT INTO stories (TITLE, WRITER, CONTENT, UPVOTE, DOWNVOTE) VALUES ('$title', '$writer', '$content', 0, 0)");

Now, after some testing I found out whenever I type an apostrophe some where like it's then the values don't get inserted in table. How do I prevent this? Are there any other special characters that might cause this problem. Here is what I am working on: http://8mags.com/bored/people/

Edit

I have updated these two lines of code

$add_content = "INSERT INTO stories (TITLE, WRITER, CONTENT, UPVOTE, DOWNVOTE) VALUES ('$title', '$writer', '$content', 0, 0)"; 
$result = mysqli_query($mysqli, $add_content) or die(mysqli_error($mysqli));

Is there anything else that I need to change?

Second Update

I have changed this code too

$con = mysqli_connect($db_hostname,$db_username,$db_password);
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
mysqli_select_db($db_database, $con);

Is there anything else? Thank you for the help.

Nitish Kumar
  • 163
  • 1
  • 8
  • 2
    Dont use `mysql_*` functions.. Please check this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – 웃웃웃웃웃 Jan 15 '15 at 08:27
  • I don't know, but i think the error is because you don't use the encoded contents `$entity_content` for your query... And please don't use the mysql_* functions. – Giwwel Jan 15 '15 at 08:33
  • If it's a true apostrophe and not a single quote, then it may have to do with your column/table set up. See if it's set up as `UTF-8`, sometimes it will fail to input or input all funky-like if not allowing certain characters. – Rasclatt Jan 15 '15 at 08:36
  • I have updated the code to insert values in database. Is it correct or do I need to change it to something else? – Nitish Kumar Jan 15 '15 at 08:36
  • You need to change the connection to the database too. – Rasclatt Jan 15 '15 at 08:37
  • And bind parameters is required for safe queries. – Rasclatt Jan 15 '15 at 08:37
  • Here is the link to bind parameters: http://php.net/manual/en/mysqli-stmt.bind-param.php Also, check your table format, it may still not accept special characters if not `UTF-8` – Rasclatt Jan 15 '15 at 08:44
  • I have specified utf8_unicode_ci as collation for TITLE, WRITER and CONTENT. Type of Content has been set to TEXT and for others it is VARCHAR – Nitish Kumar Jan 15 '15 at 08:49

1 Answers1

0

You just need to put this at time of insertion.

$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$writer = addslashes($_POST['writer']);

And at time of show(listing)

stripslashes($VariableName)

Hope this help you.

Sunil Pachlangia
  • 2,033
  • 2
  • 15
  • 25
  • For now it is working. Thank you!Is there any security issue that it might pose? – Nitish Kumar Jan 15 '15 at 09:29
  • No no,there is no issue of security at all. – Sunil Pachlangia Jan 15 '15 at 09:32
  • I recommend telling people to use the escaping mechanism for the medium, rather than something that works by coincidence. :) In this case, `mysql[i]_real_escape_string()` would be better than `addslashes()`, as latter solution is dependant on the MySQL server's settings. (Even better would be an introduction to parametrised prepared queries.) – pinkgothic Jan 16 '15 at 08:32