CODEWITHSUNDEEP
phpmysqlinputquotes
Baylock
Baylock

Reputation: 1264

PHP, MySQL, quotes and inputs fields

I'm trying to build an edit page to edit a title.

This title would be displayed in both an "h3" tag and an input field. When the user is happy with the title, he submits it to mysql where it is saved. The page refreshes and he can see his new title within the "h3" tag and the input field.

The problem is that, when quotes are involved in the title, I don"t get the same result in the "h3" tag and the input field.

Here is how I retrieve the variable to send it to the database:

$title_set = $_POST['title'];

And here is how I display the variable in both the tag and input field:

$title_get = $result['denomination'];

With this here is the display for the title: L'appel de la "forêt"

$title_set = $_POST['title'];
$title_get = $result['denomination'];

<h3>  -> No output
Input -> No output

Variation 1:

$title_set = addslashes($_POST['title']);
$title_get = $result['denomination'];

<h3>  -> L'appel de la "forêt"
Input -> L'appel de la

Variation 2:

$title_set = addslashes($_POST['title']);
$title_get = stripslashes($result['denomination']);

<h3>  -> L'appel de la "forêt"
Input -> L'appel de la

Variation 3:

$title_set = mysql_real_escape_string ($_POST['title']);
$title_get = $result['denomination'];

<h3>  -> L'appel de la "forêt"
Input -> L'appel de la

Obviously, there are differences in the way a title tag and an input field manage to display dynamic data with quotes, input fields being more restrictive.

So, what should I do?

My pages, scripts and database are encoded in UTF_8

Upvotes: 0

Views: 189

Answers (2)

Barmar
Barmar

Reputation: 780714

You need to use mysql_real_escape_string() when inserting the value into the MySQL query. Otherwise, the quotes in the input will cause SQL syntax errors. It would be even better if you converted to MySQLI or PDO, and used query parameters instead of string concatenation.

You should use htmlentities() when retrieving the data and displaying it on a web page. This will produce proper HTML encoding of all special characters.

Upvotes: 0

Bill Karwin
Bill Karwin

Reputation: 562240

Before inserting data to the database, use an escaping function like mysql_real_escape_string(). Or even better, switch to PDO so you can use prepared queries and submit the data as a parameter. This protects against SQL injection. See How can I prevent SQL-injection in PHP?

Before echoing to HTML the dynamic content you fetched from the database, encode it with htmlspecialchars(). This protects against Cross-Site Scripting (XSS). See How to prevent XSS with HTML/PHP?

Further reading: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet for more on injection and XSS risks and remedies.

Upvotes: 1

Related Questions