0

complete novice here so be gentle with me, I am trying to update a mysql database with a string that is likely to contain apostophes, I have it all working except the apostophe issue, I have htmlspecialchars in use. I assume I need mysqli real_escape_string but don't know how to incorporate it into my code. The coding is probably very poorly done but while it works I can live with it, it is for an extra couple of text boxes sneaked into an existing gallery script. Code is:

<?php

$servername = "localhost:3306";
$username = "xxxxxxxxx";
$password = "xxxxxxxx";
$dbname = "my_bodged_gallery";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
if (empty($_GET)){
    $gallery_id = htmlspecialchars($_POST["gall_id"]);
}else{
$gallery_id = $_GET['gall_id']; 
}

if(isset($_POST["submit"])){

$new_title = htmlspecialchars($_POST["new_title"]);
$new_story = htmlspecialchars($_POST["new_story"]) ;

$sql = "UPDATE stivagallery_plugin_gallery SET main_title = '$new_title' , story = '$new_story' WHERE foreign_id= '$gallery_id' AND sort= '1'";
if ($conn->query($sql) === TRUE) {
  echo "Record updated";
} else {
echo "Error updating record: " . $conn->error;
}
$sql = "UPDATE stivagallery_galleries SET title = '$new_title' , story = '$new_story' WHERE id= '$gallery_id' ";
if ($conn->query($sql) === TRUE) {
  echo " successfully";
} else {
echo "Error updating record: " . $conn->error;
}
}else{
                $sql = "SELECT title, story FROM stivagallery_galleries WHERE id= '$gallery_id' ";
            $result = $conn->query($sql);
            if ($result->num_rows > 0) {
             while($row = $result->fetch_assoc()) {
    $new_title =    $row["title"];
    $new_story =    $row["story"];
    }
  }
  }
 
$conn->close(); 
?>
<html><body>
<div>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#FFFFFF" width="735" height="200" bgcolor="#FFFFFF">
    <tr>
      <td><form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
       
        <i><font face="Arial Black" color="#000080">Title:</font></i><br>
        <input type="text" name="new_title" size="20" value="<?php echo  $new_title ;?>"><br>
        <br>
        <i><font face="Arial Black" color="#000080">Your story: </font></i>
        <br>
        <textarea rows="10" name="new_story" cols="80"><?php echo $new_story ;?></textarea></p>
        <input type="hidden" name="gall_id" value="<?php echo $gallery_id ; ?>">
        <input type="submit" name="submit"><input type="reset" value="Reset" name="B2"></p>
      </form>
</td>
    </tr>
  </table>
  
            </div></body></html>

Any help greatly appreciated, I'm a greasemonkey not a programmer....

snowbird30ds
  • 1
  • 5
    Don't escape, parameterize with prepared statements. You also should only be using `htmlspecialchars` when outputting. – user3783243 Nov 28 '20 at 13:16
  • If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo – Dharman Nov 28 '20 at 13:32
  • The if are messy, you should probably start with cleaning up your code a little.... – Yunfei Chen Nov 29 '20 at 03:38
  • Got it working as required, I switched to ```htmlentities($_POST["new_title"], ENT_QUOTES)``` from htmlspecialchars and all good enough for me, the input form is already behind a user/password so should be safe enough. While it works I'll leave the code alone as not brave enough, thanks for your input guys(&gals). A little bit of css has got the line breaks back too along with 
     tags.
     – snowbird30ds Nov 29 '20 at 12:58

0 Answers0