Jump to content

Mysql issue


Recommended Posts

Hi all,


Don't know to ask it here or in the SQL section, I assumed here, cause it is about Mysql instead of SQL.


1.) On page I have an textarea, where user fills in text;

2.) Then a js function sends this value to a php page;

3.) This PHP page, stores value in Mysql database.


When for example I fill in this -> hello world

then everything goes well.


When for example I fill in this -> hello world's

then nothing is stored in database.


I has to do something with the single quote, but can't get it managed... Under here I post some code:



<a href="javascript:void(0)" class='changeSaveLink' id='changeAlbum' onclick="changeTekst('change','textarea','1','50','50','iconIDalbum','changeAlbum','albumNaam','','albumnaam','<?php echo $GLOBALS["db_albums"];?>','50',<?php echo $albumID;?>)" title='Albumnaam aanpassen'></a>


function changeTekst(saveORchange,inputKind,rows,cols,maxLength,iconID,ahrefID,inputDivID,inputID,columnName,dbTable,maxChars,albumID){var inputIDvalue="";if (inputID){var inputIDvalue = document.getElementById(inputID).value.replace(/n/g,'<br />');}if (saveORchange=='change'){var saveChange = 'saveAlbum';}if (saveORchange=='save'){var saveChange = 'changeAlbum';}document.getElementById(iconID).className=saveChange; run_xmlhttp();xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4 && xmlhttp.status==200) {document.getElementById(iconID).innerHTML=xmlhttp.responseText;run_xmlhttp();xmlhttp.onreadystatechange=function() {if (xmlhttp.readyState==4 && xmlhttp.status==200) {document.getElementById(inputDivID).innerHTML=xmlhttp.responseText;}}xmlhttp.open('GET', '/cms/modules/changeTekst.php?a=' + saveORchange +'&b=' + inputID +'&c=' + inputIDvalue +'&d=' + columnName +'&e=' + inputKind +'&f=' + rows +'&g=' + cols +'&h=' + maxLength +'&i=' + maxChars +'&j=' + dbTable +'&id=' + albumID, true);xmlhttp.send(); }}xmlhttp.open('GET', '/cms/modules/changeIcon.php?a=' + iconID +'&b=' + saveORchange +'&c=' + ahrefID +'&d=' + inputDivID +'&e=' + columnName +'&f=' + dbTable +'&g=tekst' +'&h=' + rows +'&i=' + cols +'&j=' + maxLength +'&k=' + maxChars +'&l=empty' +'&id=' + albumID, true);xmlhttp.send();}
<?phpfunction br2nl( $input ) {return preg_replace('/<br(s+)?/?>/i', "n", $input);} $saveORchange = stripslashes($_GET['a']);$inputID = stripslashes($_GET['b']);$inputIDvalue = stripslashes($_GET['c']);$inputIDvalueDB = utf8_decode($inputIDvalue);//$inputIDvalueDB = utf8_decode(addslashes($inputIDvalue));$columnName = stripslashes($_GET['d']);$inputKind = stripslashes($_GET['e']);$rows = stripslashes($_GET['f']);$cols = stripslashes($_GET['g']);$maxLength = stripslashes($_GET['h']);$maxCars = stripslashes($_GET['i']);$tableName = stripslashes($_GET['j']);$albumID = stripslashes($_GET['id']); include($_SERVER["DOCUMENT_ROOT"]."/config.php"); //Include de config met username en passwordsmysql_connect("localhost",$GLOBALS["dbuser"],$GLOBALS["dbpass"]) or die(mysql_error());mysql_select_db($GLOBALS["dbname"]);$resultQuery = mysql_query("SELECT * FROM " . $tableName . " WHERE id='$albumID'");$rowQuery = mysql_fetch_array($resultQuery);if ($saveORchange=='change'){if ($inputKind=='textarea'){?><textarea id='areaHomeTekst' maxlength='<?php echo $maxLength;?>' rows='<?php echo $rows;?>' cols='<?php echo $cols;?>' value='' onfocus="setbg('areaHomeTekst','#BD5C5C');" onblur="setbg('areaHomeTekst','white')"><?php echo br2nl(utf8_encode($rowQuery[$columnName]));?></textarea><br /><font class='sublabel'>maximaal <?php echo $maxCars;?> tekens!</font><?php}}if ($saveORchange=='save'){ mysql_query("UPDATE " . $tableName . " SET$columnName = '$inputIDvalueDB'WHERE id = '$albumID'");$resultQuery = mysql_query("SELECT * FROM " . $tableName . " WHERE id='$albumID'");$rowQuery = mysql_fetch_array($resultQuery);echo utf8_encode($rowQuery[$columnName]);}?>

So how can I make it managed, that also the ' (or ") is send to DB... I also tried to change those chars to numeric html code, but still can't get what I want...

Edited by Bogey
Link to comment
Share on other sites

Your code is old and is vulnerable to SQL injection, and the error you're seeing is one of the symptoms. Do not use the mysql functions (mysql_connect, mysql_query, etc). Use either PDO or mysqli instead, and use prepared statements to build a query that will not be affected by that problem or vulnerable to any SQL injection attacks. If you see a tutorial that uses mysql_query, skip it and find something newer. The mysql extension has been out of date since 2003.There's an introduction to PDO here, pay special attention to section 10 on prepared statements.http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html

Link to comment
Share on other sites

Build in mysqli for now... was alreadt busy with that some time ago...

First thing on my list when I have time is to dive into PDO...


What would you suggest? mysqli or PDO?



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...