What's new
Carbonite

Welcome to Carbonite! Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Help Needed with PHP/SQL (escaping characters)

Oj0

The Forum Hobbit
VIP Supporter
TheOverClocker.com
Rating - 100%
86   0   0
Joined
Apr 26, 2010
Messages
11,023
Reaction score
445
Points
4,235
Age
29
Location
Radiokop, Roodepoort
Hey guys,

So I have the following, which works fine(ish). It's not the complete code, but the bit in question goes something like this:

PHP:
<?php

if(isset($POST['updateRecord'])) {

    $updatefirstline = $_POST['updatefirstline'];
    $updatesecondline = $_POST['updatesecondline'];
    $updatedescription = $_POST['updatedescription'];

    $seledit = UPDATE `tableName` SET `firstline`='$updatefirstline', `secondline`='$updatesecondline', `description`='$updatedescription' WHERE `id`=$getid;

    $qry = mysqli_query($connect,$seledit);

    if($qry)

        header("location: home.php");

    }
}
?>
The problem comes in that "Description" needs to contain certain special characters, including /<>'?!. It can be several paragraphs long, and also needs to include formatting where the /, <, and > come in. There are a LOT of apostrophes - this cannot be avoided. I can work around it by including \ before each special character, but 1. that's a pain, and 2. when editing the record at a later stage it is shown without the "\"s and when saved it obviously doesn't work unless I reinsert all those "\"s.

I came across something called

PHP:
addslashes($item);
for the page that updates the record, and (potentially, shouldn't be needed)

PHP:
removeslashes($item);
for the page that views the record. However, I don't seem to be able to get this to work.

A better option I've come across is

PHP:
mysqli_real_escape_string();
But I also don't know how to implement it. I don't seem to be the only one, as Googling just "mysqli" brings it up as one of the top autocomplete results.

Can anyone implement mysqli_real_escape_string in the above code?
 

akafaar

Junior Member
Rating - 100%
6   0   0
Joined
Oct 15, 2018
Messages
48
Reaction score
14
Points
535
Age
31
This:

snippet:
$updatedescription =mysqli_real_escape_string($connect,$_POST['updatedescription']);
or
snippet2:
 $updatedescription = htmlspecialchars($_POST['updatedescription'])

didn't test it, but should set you on your way
 
  • Like
Reactions: Oj0

Oj0

The Forum Hobbit
VIP Supporter
TheOverClocker.com
Rating - 100%
86   0   0
Joined
Apr 26, 2010
Messages
11,023
Reaction score
445
Points
4,235
Age
29
Location
Radiokop, Roodepoort
This:

snippet:
$updatedescription =mysqli_real_escape_string($connect,$_POST['updatedescription']);
or
snippet2:
 $updatedescription = htmlspecialchars($_POST['updatedescription'])

didn't test it, but should set you on your way
Seems my reply didn't post (crappy signal at home) - this worked perfectly :)
 

Latest posts

Top Donors

$301.00
$200.00
$155.00
$113.00
Top