What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

Help Needed with PHP/SQL (escaping characters)

Oj0

Progenix.co.za
Retailer
VIP Supporter
Rating - 100%
245   0   0
Joined
Apr 26, 2010
Messages
31,116
Reaction score
13,495
Points
25,965
Age
34
Location
Norkem Park, Gauteng
Hey guys,

So I have the following, which works fine(ish). It's not the complete code, but the bit in question goes something like this:

PHP:
<?php

if(isset($POST['updateRecord'])) {

    $updatefirstline = $_POST['updatefirstline'];
    $updatesecondline = $_POST['updatesecondline'];
    $updatedescription = $_POST['updatedescription'];

    $seledit = UPDATE `tableName` SET `firstline`='$updatefirstline', `secondline`='$updatesecondline', `description`='$updatedescription' WHERE `id`=$getid;

    $qry = mysqli_query($connect,$seledit);

    if($qry)

        header("location: home.php");

    }
}
?>

The problem comes in that "Description" needs to contain certain special characters, including /<>'?!. It can be several paragraphs long, and also needs to include formatting where the /, <, and > come in. There are a LOT of apostrophes - this cannot be avoided. I can work around it by including \ before each special character, but 1. that's a pain, and 2. when editing the record at a later stage it is shown without the "\"s and when saved it obviously doesn't work unless I reinsert all those "\"s.

I came across something called

PHP:
addslashes($item);

for the page that updates the record, and (potentially, shouldn't be needed)

PHP:
removeslashes($item);

for the page that views the record. However, I don't seem to be able to get this to work.

A better option I've come across is

PHP:
mysqli_real_escape_string();

But I also don't know how to implement it. I don't seem to be the only one, as Googling just "mysqli" brings it up as one of the top autocomplete results.

Can anyone implement mysqli_real_escape_string in the above code?
 
This:

Code:
$updatedescription =mysqli_real_escape_string($connect,$_POST['updatedescription']);

or
Code:
 $updatedescription = htmlspecialchars($_POST['updatedescription'])


didn't test it, but should set you on your way
 
  • Like
Reactions: Oj0
This:

Code:
$updatedescription =mysqli_real_escape_string($connect,$_POST['updatedescription']);

or
Code:
 $updatedescription = htmlspecialchars($_POST['updatedescription'])


didn't test it, but should set you on your way

Seems my reply didn't post (crappy signal at home) - this worked perfectly :)
 

Users who are viewing this thread

Back
Top Bottom