I am developing a website that lets you list a piece of property and view it's custom property information page as soon as you click "List Property". Everything works fine unless you add a a special character and then the page echo's get error which is triggered from mysql_real_escape_string failing. How can I get all of the information saved even with special characters?
List Property Page:
Screenshot:
PHP:
<?php
ob_start();
session_start();
require_once( "./inc/connect.inc.php" );
if(isset($_POST['list'])){
$user_email = strip_tags(@$_SESSION['user_email']);
$price = strip_tags(@$_POST['price']);
$address = strip_tags(@$_POST['street']);
$city = strip_tags(@$_POST['city']);
$state = strip_tags(@$_POST['state']);
$zip = strip_tags(@$_POST['zip']);
$prop_type = strip_tags(@$_POST['prop_type']);
$sqft = strip_tags(@$_POST['sqft']);
$built = strip_tags(@$_POST['built']);
$bedrooms = strip_tags(@$_POST['bedrooms']);
$bathrooms = strip_tags(@$_POST['bathrooms']);
$description = strip_tags(@$_POST['description']);
$d = date("Y-m-d");
$query = mysql_query("INSERT INTO properties VALUES('', '$address', '$address', '$price', '$address',
'$city', '$state', '$zip', '$sqft',
'$built', '$prop_type', '$bedrooms',
'bathrooms', '$description', '$d')");
$query = mysql_query("INSERT INTO properties VALUES('', '$address', '$address', '$price', '$address',
'$city', '$state', '$zip', '$sqft',
'$built', '$prop_type', '$bedrooms',
'bathrooms', '$description', '$d')");
$id = mysql_insert_id($db);
header("Location: ../property_info/index.php?id=".$id);
exit();
}
?>
HTML:
<form action="#" method="POST">
<div class="form-group">
<div class="col-md-12">
<input type="text" class="form-control" name="price" placeholder="List Price">
</div>
<div class="col-sm-12">
<input type="text" class="form-control" name="street" placeholder="Street Address">
</div>
<div class="col-sm-6">
<input type="text" class="form-control" name="city" placeholder="City">
</div>
<div class="col-sm-2">
<input type="text" class="form-control" name="state" placeholder="State">
</div>
<div class="col-sm-4">
<input type="text" class="form-control" name="zip" placeholder="Zip Code">
</div>
<div class="col-sm-12">
<select class="col-sm-12" id="prop_type" name="prop_type" data-placeholder="Type of Property">
<option value=""> </option>
<option value="single">Single Family</option>
<option value="condo">Condominium</option>
<option value="townhouse">Townhouse</option>
<option value="multi">Multi-Family</option>
<option value="mobile">Mobile</option>
<option value="land">Land</option>
</select>
</div>
<div class="col-md-6">
<input type="text" class="form-control" name="sqft" placeholder="Square Footage">
</div>
<div class="col-md-6">
<input type="text" class="form-control" name="built" placeholder="Year Built">
</div>
<div class="col-sm-12">
<select id="bedrooms" name="bedrooms" data-placeholder="Bedrooms">
<option value=""> </option>
<option value="0">0</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6plus">6+</option>
</select>
<select id="bathrooms" name="bathrooms" data-placeholder="Bathrooms">
<option value=""> </option>
<option value="0">0</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5plus">5+</option>
</select>
</div>
<div class="col-md-12">
<textarea class="form-control" name="description" rows="3" placeholder="Tell us about your house..."></textarea>
</div>
<!-- END ADDRESS FORM -->
<p> </p>
<p class="center">
<a href='www.urbanares.com/property_info/index.php'><button class="btn btn-warning" name='list'>List Property</button></a>
</p>
</div>
</form>
Property Info Page
Screenshot:
PHP:
<?php
$_SESSION['post_to'] = $_GET['id'];
if(isset($_GET['id'])){
$prop_id = mysql_real_escape_string($_GET['id'])or die("get error");
$check = mysql_query("SELECT * FROM properties WHERE id='$prop_id'") or die("query error");
if(mysql_num_rows($check)==1){
$get = mysql_fetch_assoc($check);
}else{
print_r($check);
echo "<h2>Property does not exist!</h2>";
echo $check;
echo $prop_id;
exit();
}
}
?>
phpMyAdmin:
Screenshot:
