Hi On one of my customers websites, I have a feedback form that automatically adds the feedback to the testimonials page by adding it to the testimonials database table and displays it on the testimonials page I have noticed that if a special character like a ' or something, the feedback is not added I can't remember how to do it so that the feedback is added if it has a special character in the text Can someone help please Kind regards Ian
It's most likely because the string is not being escaped, you need to check what the sql query is doing and make sure that you escape it properly. Post your code here and I will have a look for you.
Hi HuggyStudios Thank you for the reply I have posted the coding below from the php page that the form uses to insert the feedback, is this what you needed <?php //=============Configuring Server and Database======= $host = ''; $user = ''; $password = ''; //=============Data Base Information================= $database = ''; $conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server mysql_select_db($database,$conn) or die('Database Information is not correct'); //===============End Server Configuration============ //=============Starting Registration Script========== $name = $_POST['name']; $testimonial = $_POST['testimonial']; if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register { $query = "insert into testimonials(name,testimonial)values('$name','$testimonial')"; $res = mysql_query($query); header('location:feedbackconfirmation.php'); } ?> PHP:
Have posted more coding below, it is from the testimonials php page that displays the data from the database table <?php mysql_connect("", "", "") or die(mysql_error()); mysql_select_db("") or die(mysql_error()); $data = mysql_query("SELECT * FROM testimonials") or die(mysql_error()); Print "<table border cellpadding=3>"; while($testimonials = mysql_fetch_array( $data )) { Print "<tr>"; Print "<th>Name:</th> <td> ".$testimonials['Name'] . "<br></td></tr> "; Print "<th>Testimonial:</th> <td> ".$testimonials['Testimonial'] . " <br><br></td></tr>"; } Print "</table>"; ?>
You need to read up on a few functions such as htmlspecialchars & strip_tags. I'd also recommend using MySQLi.
I've added a function to the script which will protect you from cross site scripting and sql injections. This isn't an ideal way to do this but at least this will fix the problem your'e having. <?php // clean function function clean($value,$html=TRUE,$mysql=TRUE) { if($html) { if(is_string($html)) { $value = strip_tags($value, $html); }else{ $value = strip_tags(htmlentities($value)); } } if($mysql) { if(!get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); } return trim($value); } //=============Configuring Server and Database======= $host = ''; $user = ''; $password = ''; //=============Data Base Information================= $database = ''; $conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server mysql_select_db($database,$conn) or die('Database Information is not correct'); //===============End Server Configuration============ //=============Starting Registration Script========== $name = clean($_POST['name']); $testimonial = clean($_POST['testimonial']); if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register { $query = "insert into testimonials(name,testimonial)values('$name','$testimonial')"; $res = mysql_query($query); header('location:feedbackconfirmation.php'); } ?> PHP:
Thank you so much, works perfect and will have a read up on htmlspecialchars & strip_tags as well as MySQLi Thank you so much
You should also use this technique for all other files too If you take input from user and put them directly in db you will risk your DB and your visitors too