Inserting a HTML file in a MySQL using PHP query

Question

I have a heredoc variable like this:

$status=<<<EOT
<p>hello world</p>
<p>I'm <strong>really</strong>OK!</p>
<p></p>
EOT;

And I want to insert it into my MySQL DB with whitespaces by PHP like this:

query="INSERT INTO requests (ID,title) VALUES ('$ID','$status')";

But I can't do that. What should I do to be allowed to insert that?

Answer 1

You can do it in 2 ways:

Using mysqli_real_escape_string() like this:

$mydb = new mysqli("localhost","root","FedAnd11");

$status=<<<EOT
<p>hello world</p>
<p>I'm <strong>really</strong>OK!</p>
<p></p>
EOT;

$query="INSERT INTO requests (ID,title) VALUES ('$ID','".$mydb->real_escape_string($status)."')";

or if you don't have a db connection yet,

$status=<<<EOT
<p>hello world</p>
<p>I'm <strong>really</strong>OK!</p>
<p></p>
EOT;

$status = str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $status);

$query="INSERT INTO requests (ID,title) VALUES ('$ID','$status')";

If I've understood you problem.

Another thing you can do, is to use a mysql prepared statement, if you really want to put $status as is, like this:

$status=<<<EOT
<p>hello world</p>
<p>I'm <strong>really</strong>OK!</p>
<p></p>
EOT;

$stmt = $dbConnection->prepare('INSERT INTO requests (ID,title) VALUES (?,?)');
$stmt->bind_param('is', $ID,$status);

$stmt->execute();

I supposed the $ID is integer.

Answer 2

Try using addslashes()

$status = addslashes($status);
query="INSERT INTO requests (ID,title) VALUES ('$ID','$status')";