FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » PHP/MySQL oddity
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: PHP/MySQL oddity [message #175483 is a reply to message #175482] Sat, 01 October 2011 22:23 Go to previous messageGo to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma:
Senior Member
On Sat, 01 Oct 2011 17:31:38 -0400, Mason Barge wrote:

> On Sat, 01 Oct 2011 20:31:31 +0200, Luuk <Luuk(at)invalid(dot)lan> wrote:
>
>> On 01-10-2011 20:14, Mason Barge wrote:
>>> <form name=...><input type=text . . . value = '<?php echo $info;?>'
>>
>> After PHP is done, and when $info contains "some'text" (without the
>> double-quotes) What would you guess to be send to your browser?
>>
>> Indeed, it's:
>> <form name=...><input type=text . . . value = 'some'text'.....

> Thank you very much.

> Changed it to value=\"$info\"

You need to understand where and when to use the escape functions.

Specifically, when using text that was supplied by the user in any sql
statement, use e.g:

<?php

if (isset($_POST['fieldname']))
{
$fielddata = mysql_real_escape_string($_POST['fieldname']);
}
else
{
$fielddata = "some_default_value";
}

$sql = "UPDATE tablename SET fieldname = '{$fielddata}' WHERE
_condition_";

?>

Rgds

Denis McMahon
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: OCI.DLL and libcs.dll?
Next Topic: Re: NoDQ.com > Columns > WWE Hell in a Cell Preview by TJR Staff
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 08:32:53 GMT 2024

Total time taken to generate the page: 0.04190 seconds