-2

So basically I have a working HTML Form that when filled out and submitted goes tomy SQL database, I have check multiple times and it works as should unless there is a ' character in the data being submitted. If there is a ' it simply won't submit the form. I don't know why this is and was hoping someone would know and potentionally help my resolve the problem so that that character can be used. I am using PHP to connect my HTMLform to my SQL server.

All the columns in my SQL Table are VARCHAR(no.)

EDIT: This is the code on my php file.

<?php
// database connection code
// $con = mysqli_connect('localhost', 'database_user', 'database_password','database');

$con = mysqli_connect('localhost', 'root', '7520NHOj','db_connect');

// get the post records
$txtName = $_POST['txtName'];
$txtEmail = $_POST['txtEmail'];
$txtPhone = $_POST['txtPhone'];
$txtMessage = $_POST['txtMessage'];

// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`fldName`, `fldEmail`, `fldPhone`, `fldMessage`) VALUES ('$txtName', '$txtEmail', '$txtPhone', '$txtMessage')";

// insert in database 
$rs = mysqli_query($con, $sql);

if($rs)
{
    echo "Your Contact form has been submitted, we will get back to you as soon as possible!";
}

?>
DaSaltyL3mon
  • 19
  • 3
  • 3
    Sounds like you're NOT using `prepared statements` which can cause that issue. Then from the DB retrieval to page output, needs to be escaped properly as well, such as with `htmlspecialchars`. – Paul T. Aug 25 '22 at 03:44
  • 1
    Ah ok, how would I use prepared statements? – DaSaltyL3mon Aug 25 '22 at 03:47
  • 1
    Ok, so you are using `mysqli` at least, so that is a good. Start with the [examples here](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) then come back with any questions if you get stuck as you go. The way you have the variables in the INSERT now can _definitely_ lead to SQL injection issues. You'll find that using the prepared statements are less verbose, and have fewer quoting hassles. – Paul T. Aug 25 '22 at 03:52
  • You should never directly include user input in any SQL statements. This will leave you wide open to SQL injection attacks which can easily wipe your entire database. Using prepared statements is a very good practice. You can alternatively filter/sanitise the data first but it seems almost unnecessary if you are using prepared statements. – Rylee Aug 25 '22 at 04:26
  • Ok so I now see what SQL Injection is and how bad it can be. But because my form won't actually submit if there is the ' character, then technically speaking I am safe from my table being dropped and such. But I would defiently still like to learn how to prevent the SQL Injecting and learn about Prepared statements. Thank you both for the feedback and help. If I get stuck I may come back here for help. – DaSaltyL3mon Aug 25 '22 at 06:07
  • What makes you think that your form did not actually submit? You are most likely simple _wrong_ on that. (You would have to explicitly _implement_ something on the client side, to achieve that kind of behavior - which I am guessing you didn't actually do?) – CBroe Aug 25 '22 at 06:54
  • The thing that makes me think it didn't submit is the whole fact that the little message didn't pop up on screen when it would normally get sent plus the info input in the form would not then get sent through to mysql database, plus if you read the thing yes I did technically do something client side. Called putting in a funky character that the database didn't like, therefor not allowing it to be sent through... or something, iudk really know, but it does work now so all is good. – DaSaltyL3mon Aug 26 '22 at 01:09

1 Answers1

0

Use mysqli_real_escape_string function for solving problem. Use the following code.

<?php
// database connection code
// $con = mysqli_connect('localhost', 'database_user', 'database_password','database');

$con = mysqli_connect('localhost', 'root', '7520NHOj','db_connect');

// get the post records
$txtName = mysqli_real_escape_string($con,$_POST['txtName']);
$txtEmail = mysqli_real_escape_string($con,$_POST['txtEmail']);
$txtPhone = mysqli_real_escape_string($con,$_POST['txtPhone']);
$txtMessage = mysqli_real_escape_string($con,$_POST['txtMessage']);

// database insert SQL code
$sql = "INSERT INTO `tbl_contact` (`fldName`, `fldEmail`, `fldPhone`, `fldMessage`) VALUES ('$txtName', '$txtEmail', '$txtPhone', '$txtMessage')";

// insert in database 
$rs = mysqli_query($con, $sql);

if($rs)
{
    echo "Your Contact form has been submitted, we will get back to you as soon as possible!";
}

?>
Javed Iqbal
  • 156
  • 10