I'm quite new to PHP so sorry if sounds such an easy problem... :)
I'm having an error message when inserting content which contains quotes into my db.
here's what I tried trying to escape the quotes but didn't work:
$con = mysql_connect("localhost","xxxx","xxxxx");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test", $con);
$nowdate = date('d-m-Y')
$title = sprintf($_POST[title], mysql_real_escape_string($_POST[title]));
$body = sprintf($_POST[body], mysql_real_escape_string($_POST[body]));
$sql="INSERT INTO articles (title, body, date) VALUES ('$title','$body','$nowdate'),";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
header('Location: index.php');
Could you provide any solution please?
Thanks in advance.
Mauro
it should work without the sprintf stuff
$title = mysql_real_escape_string($_POST[title]);
$body = mysql_real_escape_string($_POST[body]);
Please start using prepared parameterized statements. They remove the need for any SQL escaping woes and close the SQL injection loophole that string-concatenated SQL statements leave open. Plus they are much more pleasing to work with and much faster when used in a loop.
$con = new mysqli("localhost", "u", "p", "test");
if (mysqli_connect_errno()) die(mysqli_connect_error());
$sql = "INSERT INTO articles (title, body, date) VALUES (?, ?, NOW())";
$stmt = $con->prepare($sql);
$ok = $stmt->bind_param("ss", $_POST[title], $_POST[body]);
if ($ok && $stmt->execute())
header('Location: index.php');
else
die('Error: '.$con->error);
With any database query, especially inserts from a web based application, you should really be using parameters. See here for PHP help on how to use parameters in your queries: PHP parameters
This will help to prevent SQL injection attacks as well as prevent you from having to escape characters.
Your code
$sql="INSERT INTO articles (title, body, date) VALUES ('$title','$body','$nowdate'),";
should be as follows
$sql="INSERT INTO articles (title, body, date) VALUES ('$title','$body','$nowdate')";
comma should not be there at the end of query
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贼婆χ 的文章《How to escape quotes when inserting into database 》','https://www.manongdao.com/article-393732.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}