0

i want to insert text contain \n and \" but when i did it with pdo :

$received_data = file_get_contents("php://input");


$sth = $connect->prepare("UPDATE USERS SET botconfig='$received_data' WHERE id=1");
$result = $sth->execute();

the value of $received_data like this :

​​

"start: \nsay "How i can help two three " \nsay "bla bla " \n

what i found in the mysql database :

start:  
say "How i can help two three "  
say "bla bla "

the \n and /" disappear from the database.

thanks for any help.

Ahmed Zeini
  • 93
  • 1
  • 7
  • _"what i found in the mysql database"_ - Are you saying that you have `echo` in the database? Or are you just trying to demonstrate that there are new lines? `\n` is an [escape character](https://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double) for a new line when inside a double quoted string. – M. Eriksson Oct 18 '22 at 01:21
  • 1
    **Warning!** You're code is _wide open_ to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. – M. Eriksson Oct 18 '22 at 01:24
  • @M.Eriksson thanks for reply, i have input like this "start: \nsay /"How i can help two three /" \nsay "bla bla " \n", and i want to save it in the db without cut \n and /", i hope you understand my question – Ahmed Zeini Oct 18 '22 at 01:28
  • @M.Eriksson thank you so much, exactly what i mean, i need to keep **\n**, i don't want to replace it by new lines – Ahmed Zeini Oct 18 '22 at 01:43
  • 1
    You're preparing your statement, but doing so with an interpolated variable instead of a placeholder. This is just as vulnerable as just executing the query. Find a decent tutorial that covers prepared statements and update your code. – Tangentially Perpendicular Oct 18 '22 at 03:28
  • @M.Eriksson there is no software that I know which would render the escaped characters when outputting them. Everything I know renders on input. So the OP wants to prevent that. – Your Common Sense Oct 18 '22 at 06:00
  • @TangentiallyPerpendicular thanks, by the way i try all of them, using prepared statement but not working `$sth->execute([":received_data" => $received_data ])` – Ahmed Zeini Oct 18 '22 at 12:09

0 Answers0