1

So I have found that this form I have just falls apart and doesn't even submit the content up until the first apostrophe when someone types in an apostrophe to this text area. How do I go about escaping the contents so they make it into my MySQL table? Thanks!

<form action=\"./functions/notes.php\" method='post'>
<input type='hidden' id='ID' name='ID' value='{$row['ID']}' />

<textarea placeholder=\"Add more notes here...\" name=\"notes\"></textarea><br />
<input type='submit' name='formNotes' id='formNotes' value='Add to Notes' />
</form>

then in the notes.php file

$notesID = $_POST['ID'];
$note = $_POST['notes'];
$date= date('Y-m-d');
$result = mysql_query("UPDATE Project_Submissions SET Notes=CONCAT(Notes,'<br />".$date." ".$note."') WHERE ID ='".$notesID."'");
new2programming
  • 257
  • 1
  • 9
  • 2
    http://php.net/manual/en/function.urlencode.php – Jose Manuel Abarca Rodríguez May 29 '15 at 19:06
  • 4
    Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using PDO, [it's not as hard as you think](http://jayblanchard.net/demystifying_php_pdo.html). If you use prepared statements you do not have to worry about escaping *anything*. – Jay Blanchard May 29 '15 at 19:07
  • @JayBlanchard Im using mysqli instead of mysql. Do you think there are problems with that? I dont know of functions comparable to mysqli_fetch_assoc for returning everything I need. And I read that mysqli is improved version. – Zapp May 29 '15 at 19:12
  • 1
    @JoseManuelAbarcaRodríguez actually, urlencode is the wrong function/method here. The correct answer would be to bind your queries, the ok/bad answer would be to escape your queries. Using urlencode would require you to urldecode when pulling the value out or else you would end up with a bunch of `%20` values (and other url entities) in your text. At the VERY least, pass it into htmlentities. – Jonathan Kuhn May 29 '15 at 19:12
  • @Zapp mysqli is fine compared to PDO. Choosing which is just personal preference. The key is to BIND your queries instead of building a query using concatenation and escaping. Oh, and yes, mysqli is improved mysql. Mysql will be removed in future version. – Jonathan Kuhn May 29 '15 at 19:13
  • `mysqli_*` functions are fine @Zapp, I just prefer (as do many, many others) `PDO`. – Jay Blanchard May 29 '15 at 19:18
  • I truly understand your points, my learning process is going to be to write the code as I know how to write it and then update the code. It's too hard for me to be debugging code with syntax I'm not as familiar with. I want to settle in with the code I know and get it right and then I can learn how to fix it. Just like refactoring an old system, on step at a time. Thanks! – new2programming Jun 01 '15 at 20:01

1 Answers1

1

Apostrophes have special meaning to SQL, so to get them into the data they need to be "escaped" PHP has a quick function for this that also does some security checks to help prevent your database from getting hacked.

$note = mysql_real_escape_string($note);

DITTO on moving away from mysql and onto mysqlI

with MySQLI, it's similar you just need to supply the connection variable....

$note = mysqli_real_escape_string($link, $note);
Duane Lortie
  • 1,285
  • 1
  • 12
  • 16