special characters help in feedback form

Hi

On one of my customers websites, I have a feedback form that automatically adds the feedback to the testimonials page by adding it to the testimonials database table and displays it on the testimonials page

I have noticed that if a special character like a ' or something, the feedback is not added

I can't remember how to do it so that the feedback is added if it has a special character in the text

Can someone help please

Kind regards

Ian

 

It's most likely because the string is not being escaped, you need to check what the sql query is doing and make sure that you escape it properly.

Post your code here and I will have a look for you.

 

Hi HuggyStudios


Thank you for the reply

I have posted the coding below from the php page that the form uses to insert the feedback, is this what you needed

<?php
//=============Configuring Server and Database=======
$host        =    '';
$user        =    '';
$password    =    '';
//=============Data Base Information=================
$database    =    '';
 
$conn        =    mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server
mysql_select_db($database,$conn) or die('Database Information is not correct');
 
//===============End Server Configuration============
 
//=============Starting Registration Script==========
 
$name    =    $_POST['name'];
 
$testimonial    =    $_POST['testimonial'];
 
if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register
{
$query    =    "insert into testimonials(name,testimonial)values('$name','$testimonial')";
$res    =    mysql_query($query);
header('location:feedbackconfirmation.php');
}
 
?>

PHP:

 

Have posted more coding below, it is from the testimonials php page that displays the data from the database table



<?php
mysql_connect("", "", "") or die(mysql_error());
mysql_select_db("") or die(mysql_error());
$data = mysql_query("SELECT * FROM testimonials")
or die(mysql_error());
Print "<table border cellpadding=3>";
while($testimonials = mysql_fetch_array( $data ))
{
Print "<tr>";
Print "<th>Name:</th> <td>&nbsp;".$testimonials['Name'] . "<br></td></tr> ";
Print "<th>Testimonial:</th> <td>&nbsp;".$testimonials['Testimonial'] . " <br><br></td></tr>";
}
Print "</table>";
?>

 

You need to read up on a few functions such as htmlspecialchars & strip_tags. I'd also recommend using MySQLi.

 

I've added a function to the script which will protect you from cross site scripting and sql injections. This isn't an ideal way to do this but at least this will fix the problem your'e having.

 
<?php
// clean function
function clean($value,$html=TRUE,$mysql=TRUE) {    
   if($html) {    
       if(is_string($html)) {    
           $value = strip_tags($value, $html);        
       }else{
           $value = strip_tags(htmlentities($value));    
       }
   }
   if($mysql) {
       if(!get_magic_quotes_gpc()) {
           $value = stripslashes($value); 
       }
       $value = mysql_real_escape_string($value);     
   }
   return trim($value);
}
 
//=============Configuring Server and Database=======
$host        =    '';
$user        =    '';
$password    =    '';
//=============Data Base Information=================
$database    =    '';
 
$conn        =    mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server
mysql_select_db($database,$conn) or die('Database Information is not correct');
 
//===============End Server Configuration============
 
//=============Starting Registration Script==========
 
$name    =    clean($_POST['name']);
 
$testimonial    =   clean($_POST['testimonial']);
 
if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register
{
$query    =    "insert into testimonials(name,testimonial)values('$name','$testimonial')";
$res    =    mysql_query($query);
header('location:feedbackconfirmation.php');
}
?>

PHP:

 

Thank you so much, works perfect and will have a read up on htmlspecialchars & strip_tags as well as MySQLi

Thank you so much

 

Your'e welcome

 

You should also use this technique for all other files too
If you take input from user and put them directly in db you will risk your DB and your visitors too