Apostrophe in HTML textarea causing PHP error

Question

This is my first ever post on Stack Overflow. I have had a good try with this and a good search for answers, but to no avail. So here goes:

I have made a basic messaging app just for coding practice. Obviously, I want it to be safe from xss so have used "HTMLspecialchars".

The problem: The app works fine as long as no one puts an apostrophe in the message. So the message "Let's go" throws an error:

let's go Error:INSERT INTO chat (msg) VALUES ('Hello let's go') You have an error in your SQL syntax; check the manual that corresponds to your >MariaDB server version for the right syntax to use near 's go')' at line 2

Here's my code for inputting and sending to mysql:

<!DOCTYPE html>
<!-- input -->
<html>
<body>
<?php
// define variables and set to empty values
 $name = $msg = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  $name = test_input($_POST["name"]);
  $msg = test_input($_POST["msg"]);
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
    return $data;
}
?>

<h2>Messaging Appq</h2>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
  Name: <input type="text" name="name" value ="<?php echo htmlspecialchars($_POST['name']); ?> ">
  <br><br>
  Message: <textarea name="msg" rows="5" cols="40"></textarea>
  <br><br>
  <input type="submit" name="submit" value="Submit">  
</form>


<!-- enter on DB -->
<?php
$servername = "localhost";
$username = "*********";
$password = "*********";
$dbname = "***********";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
$name=$_POST['name'];
$msg=$_POST['msg'];
$bothd = $name . $msg;

$sql = "INSERT INTO chat (msg)
VALUES ('$bothd')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully<br><br>";
} else {
    echo "Error:" . $sql . "<br>" . $conn->error;
}
$conn->close();
?>

So, I know i need to use "ent_quotes". But where should it go? I see the normal syntax is

<?php echo htmlspecialchars($str, ENT_QUOTES); ?>

and I have tried putting "ent_quotes" in the following positions, obviously not all at the same time:

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES);?>">  
  Name: <input type="text" name="name" value ="<?php echo htmlspecialchars($_POST['name'], ENT_QUOTES); ?> ">
  <br><br>
  Message: <textarea name="msg" rows="5" cols="40" value ="<?php echo htmlspecialchars($msg, ENT_QUOTES); ?>"></textarea>

  <br><br>
  <input type="submit" name="submit" value="Submit">  
</form>

I also tried adding it to the function:

 function test_input($data) {
      $data = trim($data);
      $data = stripslashes($data);
      $data = htmlspecialchars($data, ENT_QUOTES);
        return $data;
    }

Apologies if I am missing something obvious! I am relatively new to this!

Your issue is in your db `INSERT` query, not your textbox. You need to sanitize your user data before inserting — Sean, Jun 25 '17 at 14:34

score -3 · Answer 1 · edited Jun 25 '17 at 15:34

-3

SELECT 'A ''quoted'' word.' AS text FROM DUAL;

TEXT

A 'quoted' word.

you have to edit the query string and add another ' to your string

edited Jun 25 '17 at 15:34

Funk Forty Niner

74,450
15
68
141

answered Jun 25 '17 at 14:20

arshad seja

1

Sorry, I'm a bit of a noob and I'm not quite sure what you mean! – T C Jun 25 '17 at 14:29
@TC They mean the single quote in your query breaks the string encapsulation so you need to escape. You should do this by using a parameterized query and letting the driver handle it. – chris85 Jun 25 '17 at 14:34
Sorted it: mysqli prepared statements did the trick :) – T C Jun 25 '17 at 18:35

Apostrophe in HTML textarea causing PHP error

1 Answers1