Bogey Posted June 9, 2015 Share Posted June 9, 2015 (edited) Hi all, Don't know to ask it here or in the SQL section, I assumed here, cause it is about Mysql instead of SQL. 1.) On page I have an textarea, where user fills in text; 2.) Then a js function sends this value to a php page; 3.) This PHP page, stores value in Mysql database. When for example I fill in this -> hello world then everything goes well. When for example I fill in this -> hello world's then nothing is stored in database. I has to do something with the single quote, but can't get it managed... Under here I post some code: 1.) <a href="javascript:void(0)" class='changeSaveLink' id='changeAlbum' onclick="changeTekst('change','textarea','1','50','50','iconIDalbum','changeAlbum','albumNaam','','albumnaam','<?php echo $GLOBALS["db_albums"];?>','50',<?php echo $albumID;?>)" title='Albumnaam aanpassen'></a> 2.) function changeTekst(saveORchange,inputKind,rows,cols,maxLength,iconID,ahrefID,inputDivID,inputID,columnName,dbTable,maxChars,albumID){var inputIDvalue="";if (inputID){var inputIDvalue = document.getElementById(inputID).value.replace(/n/g,'<br />');}if (saveORchange=='change'){var saveChange = 'saveAlbum';}if (saveORchange=='save'){var saveChange = 'changeAlbum';}document.getElementById(iconID).className=saveChange; run_xmlhttp();xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4 && xmlhttp.status==200) {document.getElementById(iconID).innerHTML=xmlhttp.responseText;run_xmlhttp();xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4 && xmlhttp.status==200) {document.getElementById(inputDivID).innerHTML=xmlhttp.responseText;}}xmlhttp.open('GET', '/cms/modules/changeTekst.php?a=' + saveORchange +'&b=' + inputID +'&c=' + inputIDvalue +'&d=' + columnName +'&e=' + inputKind +'&f=' + rows +'&g=' + cols +'&h=' + maxLength +'&i=' + maxChars +'&j=' + dbTable +'&id=' + albumID, true);xmlhttp.send(); }}xmlhttp.open('GET', '/cms/modules/changeIcon.php?a=' + iconID +'&b=' + saveORchange +'&c=' + ahrefID +'&d=' + inputDivID +'&e=' + columnName +'&f=' + dbTable +'&g=tekst' +'&h=' + rows +'&i=' + cols +'&j=' + maxLength +'&k=' + maxChars +'&l=empty' +'&id=' + albumID, true);xmlhttp.send();} 3.) <?phpfunction br2nl( $input ) {return preg_replace('/<br(s+)?/?>/i', "n", $input);} $saveORchange = stripslashes($_GET['a']);$inputID = stripslashes($_GET['b']);$inputIDvalue = stripslashes($_GET['c']);$inputIDvalueDB = utf8_decode($inputIDvalue);//$inputIDvalueDB = utf8_decode(addslashes($inputIDvalue));$columnName = stripslashes($_GET['d']);$inputKind = stripslashes($_GET['e']);$rows = stripslashes($_GET['f']);$cols = stripslashes($_GET['g']);$maxLength = stripslashes($_GET['h']);$maxCars = stripslashes($_GET['i']);$tableName = stripslashes($_GET['j']);$albumID = stripslashes($_GET['id']); include($_SERVER["DOCUMENT_ROOT"]."/config.php"); //Include de config met username en passwordsmysql_connect("localhost",$GLOBALS["dbuser"],$GLOBALS["dbpass"]) or die(mysql_error());mysql_select_db($GLOBALS["dbname"]);$resultQuery = mysql_query("SELECT * FROM " . $tableName . " WHERE id='$albumID'");$rowQuery = mysql_fetch_array($resultQuery);if ($saveORchange=='change'){if ($inputKind=='textarea'){?><textarea id='areaHomeTekst' maxlength='<?php echo $maxLength;?>' rows='<?php echo $rows;?>' cols='<?php echo $cols;?>' value='' onfocus="setbg('areaHomeTekst','#BD5C5C');" onblur="setbg('areaHomeTekst','white')"><?php echo br2nl(utf8_encode($rowQuery[$columnName]));?></textarea><br /><font class='sublabel'>maximaal <?php echo $maxCars;?> tekens!</font><?php}}if ($saveORchange=='save'){ mysql_query("UPDATE " . $tableName . " SET$columnName = '$inputIDvalueDB'WHERE id = '$albumID'");$resultQuery = mysql_query("SELECT * FROM " . $tableName . " WHERE id='$albumID'");$rowQuery = mysql_fetch_array($resultQuery);echo utf8_encode($rowQuery[$columnName]);}?> So how can I make it managed, that also the ' (or ") is send to DB... I also tried to change those chars to numeric html code, but still can't get what I want... Edited June 13, 2015 by Bogey Link to comment Share on other sites More sharing options...
justsomeguy Posted June 9, 2015 Share Posted June 9, 2015 Your code is old and is vulnerable to SQL injection, and the error you're seeing is one of the symptoms. Do not use the mysql functions (mysql_connect, mysql_query, etc). Use either PDO or mysqli instead, and use prepared statements to build a query that will not be affected by that problem or vulnerable to any SQL injection attacks. If you see a tutorial that uses mysql_query, skip it and find something newer. The mysql extension has been out of date since 2003.There's an introduction to PDO here, pay special attention to section 10 on prepared statements.http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html Link to comment Share on other sites More sharing options...
Bogey Posted June 9, 2015 Author Share Posted June 9, 2015 Thanks.... I go check out that tut... Link to comment Share on other sites More sharing options...
Bogey Posted June 13, 2015 Author Share Posted June 13, 2015 Build in mysqli for now... was alreadt busy with that some time ago... First thing on my list when I have time is to dive into PDO... What would you suggest? mysqli or PDO? thnx!!!! Link to comment Share on other sites More sharing options...
justsomeguy Posted June 15, 2015 Share Posted June 15, 2015 I prefer PDO, it can work with multiple databases and I like the error handling better. Link to comment Share on other sites More sharing options...
Bogey Posted June 15, 2015 Author Share Posted June 15, 2015 Thnks, thats clear! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now