afan@xxxxxxxx wrote:
> since I had something similar as a problem, let m etry to anser ang see
> did I get it correct :)
seems ok ...
>
> first, and most important: never store in DB row submitted string
>
> $act_extra = mysql_real_escape_string($_POST[editextra]);
> $act_extra_fr = mysql_real_escape_string($_POST[editextrafr])
the following should always be an integer (probably) ...
> $act_id = mysql_real_escape_string($_POST[editid]);
so why not do:
$act_id = intval($_POST[editid]);
if (!$act_id) die('go away script kiddie!');
>
> then:
> $sqledit = "
> update activities
> set act_extra='".$act_extra."',
> act_extra_fr = '".$act_extra_fr."'
> where act_id = '".$act_id."'";
very minor point - but why not save your eyes a little:
$sqledit = "UPDATE activities
SET act_extra='{$act_extra}',
act_extra_fr='{$act_extra_fr}'
WHERE act_id={$act_id}";
>
> to check:
> echo $sqledit;
>
> it should work now.
>
> hope this helped.
>
> -afan
>
>
>
>> This is the code is use to insert/update text into a database field:
>>
>> $sqledit="update activities set act_extra='$_POST[editextra]',
>> act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]";
>>
>> Now both $_POST[editextra] and $_POST[editextrafr] can contain single or
>> double quotes.
>> So the query almost always gives me an error.
>>
>> I know I have to replace " with ", but I do not know how to replace
>> the
>> single quote so it is shown as a single quote on a webpage when I get it
>> from the database
>>
>> I have been looking into str_replace and preg_replace. But what I really
>> need is a solution that 'replaces' single quotes, double quotes en curly
>> quotes so I tackle all possible problems and the same text as it was
>> inputed
>> in the textarea is shown on the webpage.
>>
>> Thx in advance
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
