Hi. I'm not sure if my topic can be posted in this sub-forum or in MySQL sub-forum but i think this question is easy for you the expert guys. I'm trying to update the fields of one of MySQL DB's table using PHP code and the line i'm using is something like this: $query = "UPDATE my_db_name SET field_name= 'whatever_i_need' WHERE id='XXX'"; mysql_query($query) or die (mysql_error()); This code works perfectly when i replace "whatever_i_need" for any simple text, i mean, just alphanumeric characters, but my problem is i'm trying to replace "whatever_i_need" for an HTML code and when i execute the script there is an error. I was testing and i saw that i simply can't add special characters like ' or " or $ because i think PHP or MySQL (i don't know) reads the ' and the " like finishing the text i wanna write and the $ like if i wanna write a variable but i don't... I just want to add that characters or specialy any character to that specific field of my MySQL DB's table. MySQL version is running my hosting is 5.0.32 if it helps. Can you help me with this???. Thanks in advance! Reinaldo. P.D.: Sorry for my english, i know it isn't very good.
You should escape these characters with a backslash: $query = "UPDATE my_db_name SET field_name= 'whatever_i_need_with_a_\'_quote' WHERE id='XXX'"; Code (markup): edit: I think a field name can only be alphanumeric, but for the WHERE part it can be escaped
ON another note you better not dare put that code live unless oyu plan on being hacked. That is extremely insecure. You should really esc shell everything and str_replace or ereg on operands to block for sql injection attacks. Depending on the programming language you can always use qualifiers for things like ". In PHP it's simple: echo "<font face=\"Tahoma\">I changed my font in php!"; Code (markup):
Thanks so much RAMDOMBASE! LittleJonSupportSite, can you explain me better what are you talking about??? I mean, i tried to understand your post but i'm not an expert in programming. I'd like to know better what i'm doing wrong, i wouldn't like to be attacked by a hacker. This information is insecure to be in a hosting in public level?? I've read the php script code can't be read by third person if this script is executed in a web server. Is this right??? or please explain me better your point. Sorry for this. Thanks a lot. Reinaldo.
The insecurity of it depends on where the data your are inserting into the database is coming from. If it's being generated internally and cleanly by your program then it's probably fine. But if it's being taken from any sort of user input, there's a security hole. You should read this article for some good safety tips.
It's easy. When you write your HTML to the database, use addslashes $text = addslashes($_POST['yourhtmlcode']); $query = "UPDATE my_db_name SET field_name= '$text' WHERE id='XXX'"; Code (markup): And when you get your code to print it, use stripslashes echo stripslashes($text); Code (markup): Also look up htmlspecialchars and htmlentities functions..