Menu
Community /Pin to ProfileBookmark
@NogDogMay 06.2012 — #Just be sure to escape all user inputs before using them in a query. Besides avoiding problems like this, it also stops malicious users from injecting SQL into your queries. With the MySQL extension, the function you want to use is mysql_real_escape_string ().@NogDogMay 08.2012 — #
Note that the htmlspecialchars() (or htmlentities()) is normally reserved for escaping text being output to the browser; I do not recommend it for escaping inputs into the database. Why? Because then in your database you might end up with something like this:
This can have two unwanted side effects: (1) It could mean text that would otherwise just fit within a char/varchar column might now be too long, and (2) it makes searches of the data more problematic. But it is definitely a good idea for text being output to the browser, e.g.:
php code not inserting into phpmyadmin
HI everyone…I had this working at one time but must have changed something. I cant get the php to insert records into phpmyadmin. Can someone check if I have something wrong in my code. Thanks much.
[COLOR=”Red”]Here is the code for selecting from the database:
[code=php]<?php
mysql_connect(“localhost”, “root”, “”);
mysql_select_db(“mydb”);
?>
<html>
<head>
<title>Project 3 Blog</title>
</head>
<body>
[code=php]<?php
$sql = “SELECT * FROM posts”;
$query = mysql_query($sql);
$result = mysql_fetch_array($query);
$title = $row[‘title’];
$description = $row[‘description’];
?>
<table border=’1′>
<tr><td><?php echo $title; ?></td></tr>
<tr><td><?php echo $description; ?></td></tr>
</table>
[code=php]<?php
}
?>
</body>
</html>
[COLOR=”Red”]Here is the code for inserting into the database:
[code=php]<?php
mysql_connect(“localhost”, “root”, “”);
mysql_select_db(“mydb”);
?>
<html>
<head>
<title>Add new Post</title>
</head>
<body>
[code=php]<?php
if(isset($_POST[‘submit’])){
$title = $_POST[‘title’];
$description = $_POST[‘description’];
mysql_query(“INSERT INTO posts (title, description) VALUES(‘$title’,’$description’)”);
}else{
?>
<form action=’admin.php’ method=’post’>
Title: <input type=’text’ name=’title’ /><br>
Description: <textarea name=’description’></textarea><br />
<input type=’submit’ name=’submit’ value=’Post’ />
</form>
[code=php]<?php
}
?>
</body>
</html>
Sign in
to post a comment5 Comments(s) ↴
0
@NogDogMay 06.2012 — #Just be sure to escape all user inputs before using them in a query. Besides avoiding problems like this, it also stops malicious users from injecting SQL into your queries. With the MySQL extension, the function you want to use is 0
@NogDogMay 08.2012 — #I also run most data through[url=http://php.net/manual/en/function.htmlspecialchars.php]htmlspecialchars()[/url] . It converts HTML to character codes, so it doesn't effect the page.[/QUOTE]
Note that the htmlspecialchars() (or htmlentities()) is normally reserved for escaping text being output to the browser; I do not recommend it for escaping inputs into the database. Why? Because then in your database you might end up with something like this:
<i>
</i>Some text &amp; &quot;some quoted text&quot;
This can have two unwanted side effects: (1) It could mean text that would otherwise just fit within a char/varchar column might now be too long, and (2) it makes searches of the data more problematic. But it is definitely a good idea for text being output to the browser, e.g.:
[code=php]
<input type='text' name='foo' value='<?php echo htmlspecialchars($row['text']);?>' />
[/code]