Typing ' to does not save the message to database

Question

i have made a little "Support Ticket" system but i have a little problem.

If you add ' to the textarena it does not send data to database.

PHP:

<?php



if(isset($_POST['submit']))
{

  $subject = $_POST['subject'];
  $message = $_POST['message'];
  $steamid = $_SESSION['steamid'];

  $message = htmlspecialchars( str_replace('','',$message) );
  $subject = htmlspecialchars( str_replace('','',$subject) );

  $date = date('d.m.Y, G:i');

  $db -> query("INSERT INTO tickets (userId, subject,message, status, date) VALUES ('".$steamid."', '".$subject."', '".$message."', '1', '".$date."') ");

}

?>

HTML:

<form action="support" method="POST">
  <input maxlength="50" type="text" class="form-control" name="subject" placeholder="Subject..." style="margin-top:10px" required>
  <textarea maxlength="500" name="message" class="form-control" placeholder="Your message..." style="margin-top:10px" required></textarea>
  <input type="submit" class="btn btn-success" name="submit" style="margin-top:10px" value="Submit" />
</form>

I were wondering if the problem is because of $message = htmlspecialchars( str_replace('','',$message) );

FIXED:

I added this $message = mysql_real_escape_string($_POST['message']);

use prepared statements with `mysqli` or `PDO` and it will resolve all of your problems and prevent SQL injections! — cmorrissey, Jul 29 '16 at 13:54
What if you submit `');DROP TABLE tickets;--` into the form? — jsheeran, Jul 29 '16 at 13:55
I tough `$message = htmlspecialchars( str_replace('','',$message) );` should fix that? — Seppo Kuusela, Jul 29 '16 at 13:58

Typing ' to does not save the message to database

0 Answers0