Reinhart Viane wrote:
> This is the code is use to insert/update text into a database field:
>
> $sqledit="update activities set act_extra='$_POST[editextra]',
> act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]";
this indicates 'bad' database design ... because adding a language involves
having to change the database schema. I personally think that there should be
no need to change the database schema and/or queries and/or code just because
the client wants an extra language.
it also indicates that you have a glaring SQL injection problem. what happens
when I craft a POST request that contains an 'editid' parameter with the
following in it:
'1 OR 1'
or
'1; DELETE * FROM activities'
google 'SQL injection', do some reading and get into the habit of sanitizing
your user input.
>
> Now both $_POST[editextra] and $_POST[editextrafr] can contain single or
> double quotes.
> So the query almost always gives me an error.
>
> I know I have to replace " with ", but I do not know how to replace the
WRONG - you only replace " with " when you OUTPUTTING the string as part of
a
webpage. the database should contain the actual
> single quote so it is shown as a single quote on a webpage when I get it
> from the database
mysql_real_escape_string()
search this archive; there is plenty of discussion about escaping data so that
it
can be inserted into a database (mostly concerning MySQL).
>
> I have been looking into str_replace and preg_replace. But what I really
> need is a solution that 'replaces' single quotes, double quotes en curly
> quotes so I tackle all possible problems and the same text as it was inputed
> in the textarea is shown on the webpage.
>
> Thx in advance
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
