database - Forum Comment Section with PhP -


I'm just a newbie programmer, and I'm making a platform to improve my skills, but I'm against it I am still having a problem with this code:

The problem is: We can not use single quotes and we want to use them and doubles quotes.

This is where this database: 

  // get the data sent from $ theme = $ _ POST ['topic']; $ Detail = $ _ post ['extension']; $ Name = $ _ session ['display']; $ Email = $ _ post ['email'];

And it is a part of the form: 

  & lt; Tr & gt; & Lt; Td width = "14%" & gt; & Lt; Strong & gt; Subject & lt; / Strong> & Lt; / Td> & Lt; Td width = "2%" & gt ;: & lt; / Td> & Lt; Td width = "84%" & gt; & Lt; Input name = "topic" type = "text" id = "topic" size = "50" /> gt; & Lt; / Td> & Lt; / TR & gt; & Lt; TR & gt; & Lt; Td valign = "top" & gt; & Lt; Strong & gt; Expansion & lt; / Strong> & Lt; / Td> & Lt; Td valign = "top" & gt;: & lt; / Td> & Lt; Td> & Lt; Textarea name = "detail" cols = "50" rows = "3" id = "detail" & gt; & Lt; / Textarea & gt; & Lt; / Td> & Lt; / TR & gt;

What do I want to add, so that we can use alone and doubles quotes? what do I have to do? Because if one uses a single quote message accidents ..

This is an error message I give to 

  if ($ result) {echo "successful & Lt; BR & gt; "; Echo "& lt; a href = index.php & gt; View your topic & lt; / a & gt;"; Header ("Location: Localhost / Forum /"); } And {echo "error"; }

and this is where it goes: 

  $ sql = "$ qtbl_name (subject, description, name, email, date time) INSERT ('$ subject', '$ detail', '$ name', '$ email', '$ datetime') "; $ Result = mysql_query ($ sql)

;

You are running a thing called "SQL injection" and this is a serious problem that you care about should do.

Please read and use this function to avoid the special characters of your input data.

It looks like you have a query: 

  $ query = "Insert TBL (` subject`) VALUES ('$ subject'); "< / Code>

then your generated query string may be 

  $ theme = "foobar"; $ Query = "TBL (` subject`) VALUES ('$ subject'); "echo $ query; The result of

will be the following: 

  Insert TBL (`subject`) VALUES ('foobar');

which is good but: Remove from 

  $ topic = "f"); tbl; "; $ Query = "TBL (` subject`) VALUES ('$ subject'); "echo $ query;

will come back: 

  VALUES ('f') in TBL (`subject`); Removal from Tbl;

And it's not what you want to do.

To reach the next level of your programming skills in PHP, you should read the PDO-Documentation () and know more about using the parameters in a sql statement :)


Comments

Post a Comment