This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
Basically I'm trying to insert a value in a table from a textarea.
$sql_insert = "INSERT INTO message_admin (message, lastedit_ip, lastedit_date) VALUES ('".$_POST["message"]."', '".$_SERVER['REMOTE_ADDR']."', '".date("d/m/Y")."');";
Thing is if I type either the symbol ' or " in my text area, I will get PHP debug because PHP will take it as if I closed my string (is that the right expression, even?)
Hope you did understand me
Use addslashes()
$sql_insert = "INSERT INTO message_admin (message, lastedit_ip, lastedit_date) VALUES ('".addslashes($_POST["message"])."', '".addslashes($_SERVER['REMOTE_ADDR'])."', '".date("d/m/Y")."');";
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
If I input acesr'ss as categoryname in my POST-Request, it will insert only acesr into my database. I can't figure out why.
Relevant code snippet:
$cate_name=mysqli_real_escape_string($conn,$_POST['categoryname']);
$usersql="Insert INTO abc(category_name) VALUES('".$cate_name."')";
I also tried addslashes, but get the same problem.
Can you try to insert using parameterised sql query.this will prevent sql injection
$dmessage = html_entity_decode ($cate_name, ENT_QUOTES | ENT_XML1, 'UTF-8') ;
$createSql = $db->prepare(" INSERT INTO abc(category_name) VALUES(:cate_name)" );
$createSql->execute(array(
":cate_name" => trim($cate_name)
));
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
My code is:
$description = $_POST['description'];
$description = htmlspecialchars($description);
I use it to insert some description into a table:
$insertBillIndexQuery = "INSERT INTO $billIndexTableName (type, exp_category, shopping_date, shop, description, total_amount, paid, due, mode_of_payment) VALUES ('Expense', '$exp_category', '$billDate', '$shop', '$description', '$total_amount', '$paid', '$due', '$modeOfPayment')";
This works fine usually. However, when I type a special character such as a single quote, the system breaks, and I get an Error Querying Database error. I'm sure that the single quotes are causing the problem. Am I using htmlspecialchars wrong?
You need to do the conversion using ENT_HTML401 for converting ' into '. According to the manual:
' (single quote)
' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm trying to add a row to my table video_games by using the value of a $_GET like this:
$yourname = $_GET['yourName'];
$bdd->exec('INSERT INTO video_games(name, owner, console, price) VALUES($yourname, \'Patrick\', \'PC\',45)');
But I get this error:
Unknown column $yourname in field list
I tried several other solutions like $name or name or 'name' instead of $name. But I can't have the value of $_GET to be inserted.
I have also checked other posts and I did not find any solution, yet it should be a famous question.
To make it simple, the problem is: How to put the value of a variable in an INSERT statement using the exec() function ?
Thanks.
Did you try like this....
$yourname = $_GET['yourName'];
$bdd->exec("INSERT INTO video_games(name, owner, console, price) VALUES('$yourname', 'Patrick', 'PC',45)");
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";
Im trying to put hold'em no limit into a SQL database but it won't let me
use ' i cant upload holdem no limit for a long list resones that have to do
with the rest of my code.
Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):
$type_of_poker = "hold'em no limit";
//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();
Let me know if that worked for you! :)
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm adding some html code to a database through a mysql_query. So, a basic query looks like this $qry = "UPDATE Pages SET ".$column."='$value' WHERE id='$id'";
If this is called, an actual query might look like this: $qry = "UPDATE Pages SET content_en='<h1>This is a title</h1>' WHERE id='12'"; However, if the HTML code looks like this: <h1 style='color:red;'>This is a title</h1>, it'll break the query because of the semi-colon. Is there any way to solve this?
Use mysql escaping function over your content, like that :
$value = mysqli_real_escape_string($value);