6 {{ upvoteCount | shortNum }}
6 {{ upvoteCount | shortNum }}

MySQL vs PHP vs <textarea>

by Big Squid
4 replies
So I have a battle royal going on here...

I've got a php page, trying to insert into a MySQL db from an HTML textarea. Everything works grand, except when I have single quotes (') in the textarea.

I've checked the php.ini file and magic quotes are all OFF.
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Anyone know what's going on, and how I can fix it?

Thanks for your help...
#&lttextarea&gt #<textarea> #mysql #php
  • Profile picture of the author phpbbxpert
    I can't think of any reason you would do this other than storing source code...

    Your basically creating a time bomb if anyone from the public has a chance to access this form.
    Your having issue with single quotes because you are injecting into the query.
    You need to build some security into this and you wont have the issue.

    addslashes($str);
    mysql_real_escape($str);
    htmlentities($str);

    I would even go all out and do a str_replace() and preg_match() on some parts of the input and clean it further.
    Then when it comes out, to display, do everything in reverse.

    But like I said, Time Bomb, you really have to check and double check this input when allowing any type of user input into the database.
    If there is a hole, some hacker will find it one day.
    {{ DiscussionBoard.errors[4510409].message }}
  • Profile picture of the author mywebwork
    One thing you can do when storing raw HTML into a MySQL database is encode it to remove the "special " HTML characters, including the single-quote. When retrieving teh data you decode it to get back the original HTML string.

    These two PHP functions will help you out:

    PHP htmlspecialchars() Function

    PHP htmlspecialchars_decode() Function


    Hope this helps!

    Bill
    {{ DiscussionBoard.errors[4510518].message }}
  • Profile picture of the author Big Squid
    Thanks for the help. I'm actually only using it in development through xampp. But this does make want to go back through some other scripts and make them more secure...

    I appreciate it..
    {{ DiscussionBoard.errors[4511373].message }}
    • Profile picture of the author bettor
      if you are concerned with security you may try htmlPurifier and PDO (parameter binding when you write to DB)
      {{ DiscussionBoard.errors[4565088].message }}

Trending Topics