0

i am using the following code but it seems whenever i use a single quotation (') or double quotation (") in my article field ($_POST['article'])it is not going to be added to the database unless i use \' or \" so that it is read by the query as part of the text.. is there any code i can write so that it considers the $_POST['article'] as a whole text? here is my code:

<?php
require_once ('connection.php');

            $title=$_POST['title'];
            $article=$_POST['article'];

            if($category!="")
            {
                $query = "SELECT count( id ) as num FROM article;";
                $result = mysqli_query($conn, $query);

                /* numeric array */
                $row = mysqli_fetch_array($result, MYSQLI_NUM);
                if($row[0]==0)
                {
                    $newId=0;
                }else{
                    $query = "SELECT MAX( id ) as max FROM article;";
                    $result = mysqli_query($conn, $query);

                    /* numeric array */
                    $row = mysqli_fetch_array($result, MYSQLI_NUM);
                    $newId = $row[0] +1;
                }
                $sql="INSERT INTO `article`(`id`, `title`, `text`) 
                                            VALUES ('".$newId."','".$title."','".$article."')";
                $result = $conn->query($sql);
                if ($conn->query($sql) === TRUE) {
                    header("Location: ArticleSent.php");
                    $conn->close();
                    exit();
                } else {
                    echo "Error: " . $sql . "<br>" . $conn->error;
                    $conn->close();
                    exit();
                }
            }
            else
            {
                header("Location: categoryrequired.php");
                $conn->close();
                exit();
            }

 ?>
Batoul Diab
  • 13
  • 3
  • 1
    Your code is wide open to SQL injection attack, please prepare those statements! http://bobby-tables.com – Loek Jun 05 '18 at 10:44
  • 2
    All you need to know is Bound and Parameterised queries will remove this issue and make your code less likely to be attacked by [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) all at the same time – RiggsFolly Jun 05 '18 at 10:47
  • Any basic tutorial on how to _properly_ use a database should cover this. – CBroe Jun 05 '18 at 10:47
  • @Loek this is just a template, but i will, thank you – Batoul Diab Jun 05 '18 at 10:49
  • 2
    Also consider making your `id` column an AutoIncrement column. Then you do not need to risk duplicate keys being generated on a busy system using your existing mechanism – RiggsFolly Jun 05 '18 at 10:49
  • @RiggsFolly ok thank you – Batoul Diab Jun 05 '18 at 10:50

0 Answers0