0

I am creating a messaging system but the problem I face is that when users try and enter certain characters like ' into the message, the database doesnt want to allow it. Any idea what this is?

sark9012
  • 5,485
  • 18
  • 61
  • 99

2 Answers2

2

This is called SQL injection. Basically, by not handling your user input properly, you're allowing anyone and everyone to execute arbitrary SQL statements (not good!). If you search for 'SQL Injection', you'll get tonnes of resources.

For starters, have a look at this question: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Chris
  • 10,337
  • 1
  • 38
  • 46
  • I know about SQL injection but i'm unaware how to allow the users to enter messages with such characters. mysql_real_escape_string? – sark9012 May 26 '10 at 10:22
  • @Luke That's one solution. The question I linked to has some really good answers that outline other possibilities. – Chris May 26 '10 at 10:49
  • @Luke while "SQL inection" is terrible term to describe your problem, the solution is the same – Your Common Sense May 26 '10 at 11:15
  • @Col. Shrapnel - Why's it a terrible term? If the DB is throwing errors when the user inputs `'` then it's almost certainly a SQL injection vulnerability. – Chris May 26 '10 at 11:22
  • I have looked at the solutions you provided. Thanks – sark9012 May 26 '10 at 11:24
  • "SQL injection" stands for "SQL injection attack", not "SQL injection vulnerability". And it's not actually a vulnerability but just malformed query. – Your Common Sense May 26 '10 at 11:29
0

Make your SQL queries by using PDO and not by munging strings.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335