CODEWITHSUNDEEP
phpmysql
Cory
Cory

Reputation: 742

mysql_real_escape_string not working?

I'm trying to secure the data users submit via forms on my website so they cannot submit data in HTML. I am trying the following but when I test it, I'm still able to submit HTML data and it writes to the DB just as I entered and displays the HTML when I read from the DB.

if (isset($_POST['submit'])) {

    if ( strlen($_POST['topictitle']) < 10 ) {
        $errors .= "<div>You topic title must be 10 characters or longer!</div>";
    } else {
        $thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
    }

    if ( strlen($_POST['content']) < 10 ) {
        $errors .= "<div>You message must be 10 characters or longer!</div>";
    } else {
        $content = mysqli_real_escape_string($db_connect, $_POST['content']);
    }

    if (isset($errors)) {
        $error_message = "<div class=\"error_box\">$errors</div>";
        $smarty->assign ('error_message', $error_message);
    } else {
        $thread_sql = "
            INSERT INTO forum_threads (
                user_id,
                forum_id,
                thread_postdate,
                thread_lastpost,
                thread_title,
                thread_description,
                thread_icon
            ) VALUES (
                '$_SESSION[user_id]',
                '$_GET[f]',
                '$date',
                '$date',
                '$thread_title',
                IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
                IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
            )
        ";
        $thread_query = @mysqli_query ($db_connect, $thread_sql);

        $select_thread_sql = "
            SELECT
                thread_id
            FROM
                forum_threads
            WHERE
                thread_id = LAST_INSERT_ID()
        ";
        $select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
        $select_thread = mysqli_fetch_assoc($select_thread_query);

        $thread_id = $select_thread['thread_id'];

        $post_sql = "
            INSERT INTO forum_posts (
                user_id,
                thread_id,
                post_message,
                post_date
            ) VALUES (
                '$_SESSION[user_id]',
                '$thread_id',
                '$content',
                '$date'
            )
        ";
        $post_query = @mysqli_query ($db_connect, $post_sql);

        $url = $url . "forum.php?t=" . $thread_id;
        header("Location: $url");
        exit();
    }
}

Upvotes: 0

Views: 201

Answers (1)

Ben
Ben

Reputation: 62336

mysqli_real_escape_string is not meant to escape HTML tags, only prevent against SQL injection by other means. If you want to prevent HTML from being implemented look at strip_tags or htmlentities

Upvotes: 3

Related Questions