-2

I have a form field for an update - where I have given the administrators the ability to make changes to comments:

 <form method="post" action="form_action.php?job_numb=<?=$job_numb;?>" enctype="multipart/form-data"> 
    <textarea class="form-control" 
          rows="10" 
          name="comments" 
          maxlength="5000">
        <!--This is grabbing the previous $comments from the database-->
        <?php echo html_entity_decode($comments);?>
    </textarea>
</form>

I was wondering why text seemed truncated or cut-off, thinking it had to do with character limit it did not. How do you make sure the special characters don't stop the SQL from breaking?

The SQL row is set to text.

scoopzilla
  • 887
  • 5
  • 15

1 Answers1

-1

I have since learned that I just needed prepared statements, and that "cleaning" the data was not necessary at all.

See code below

 <?php
      $servername = "localhost";
      $username = "XXXXX";
      $password = "XXXXX";     

      try {
          $conn = new PDO("mysql:host=$servername;dbname=**YOURDATABASE**", $username, $password);
          // set the PDO error mode to exception
          $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
          echo "Connected successfully";

      if(isset($_POST['submit']) && !empty($_POST['submit'])) {
            $job_name = htmlspecialchars($_POST['job_name'], ENT_QUOTES, 'UTF-8');
            $comments = htmlspecialchars($_POST['comments'], ENT_QUOTES, 'UTF-8');
            }

       $conn->exec($sql);
            }
       catch(PDOException $e)
          {
       echo "Connection failed: " . $e->getMessage();
          }
       $conn = null;

 $sql = "UPDATE `jobs_canjobs` SET
     `job_name`='$job_name',
     `comments`='$comments'
      WHERE job_numb = '$job_numb'";
 ?>

There is no need for a second variable, and although the previous method worked - it was just an extra step.

scoopzilla
  • 887
  • 5
  • 15
  • 1
    Use prepared statements!! Don't "clean" your data!! – sevenseacat Jan 11 '17 at 07:43
  • @sevenseacat okay I get that, but I am new and I will learn different techniques as I go along. This one worked for me. Thanks for the downvote, I guess? – scoopzilla Jan 11 '17 at 17:21
  • Nope it is not correct yet. It is incorrect not just because you are trying to clean your data. It's incorrect because you aren't actually using prepared statements. Prepared statements is the only way to secure your code and saves you from your trouble with quotation marks. See the first code block in this answer to find out how to use prepared statements: http://stackoverflow.com/a/60496/2518200 – Cave Johnson Feb 07 '17 at 22:59
  • Also you should use `htmlspecialchars` on data that you are inserting into the database. You should only use it when you are about to display in on your webpage. There is no reason to have HTML-encoded data in your database. One reason is that it will looks all weird when you just want to view the data. – Cave Johnson Feb 07 '17 at 23:05
  • meaning you should NOT use `htmlspecialchars` in this insert? – scoopzilla Feb 07 '17 at 23:09
  • 1
    @scoopzilla Oops sorry yes that is correct. I meant to say you should NOT use `htmlspecialchars`. You would be fine with just prepared statements. – Cave Johnson Feb 07 '17 at 23:11
  • @KodosJohnson I genuinely want to learn - so should this example be: `$stmt->execute(array('job_name' => $job_name, 'comments' => $comments));` ?? – scoopzilla Feb 07 '17 at 23:12
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/135127/discussion-between-kodos-johnson-and-scoopzilla). – Cave Johnson Feb 07 '17 at 23:12