php - Having trouble with ' character being entered into a MYSQL database -


this question has answer here:

i having issues whenever put ' in text on page updates database,

$query = "update news set news1_title='$news1_title', news1_info='$news1_info', news1_body='$news1_body', news2_title='$news1_title', news2_info='$news2_info', news2_body='$news2_body' id=1"; 

as cuts off , ends throwing text code.

is there way can add things safely, know can use ' when shows in page returns ' , have update them every time ' otherwise errors.

thanks.

you need not directly accept user input query. huge sql vulnerability. where 1=1; drop database; , delete of information.

instead, consider using prepared statements have data sanitized in safe , automatic way. let's @ oop implementation:

$ret = array(); try{     $mysqli = new mysqli('host', 'user', 'pass', 'db');     $stmt = $mysqli->prepare('update news set news1_title = ?, news1_info = ?, news1_body = ?, news2_title = ?, news2_info = ?, news2_body = ? id = 1');     $stmt->bind_param('ssssss', $news1_title, $news1_info, $news1_body, $news1_title, $news1_info, $news1_body);     $stmt->execute() == true;      $ret['status'] = 1;     $ret['msg'] = 'successfully updated!'; } catch (exception $e ) {     $ret['status'] = 0;     $ret['msg'] = $e->message; }  echo $ret['msg']; 

by preparing , binding, we've sanitized our data , no longer face issues you've described above.


Comments