Reinhart Viane wrote: > This is the code is use to insert/update text into a database field: > > $sqledit="update activities set act_extra='$_POST[editextra]', > act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]"; this indicates 'bad' database design ... because adding a language involves having to change the database schema. I personally think that there should be no need to change the database schema and/or queries and/or code just because the client wants an extra language. it also indicates that you have a glaring SQL injection problem. what happens when I craft a POST request that contains an 'editid' parameter with the following in it: '1 OR 1' or '1; DELETE * FROM activities' google 'SQL injection', do some reading and get into the habit of sanitizing your user input. > > Now both $_POST[editextra] and $_POST[editextrafr] can contain single or > double quotes. > So the query almost always gives me an error. > > I know I have to replace " with ", but I do not know how to replace the WRONG - you only replace " with " when you OUTPUTTING the string as part of a webpage. the database should contain the actual > single quote so it is shown as a single quote on a webpage when I get it > from the database mysql_real_escape_string() search this archive; there is plenty of discussion about escaping data so that it can be inserted into a database (mostly concerning MySQL). > > I have been looking into str_replace and preg_replace. But what I really > need is a solution that 'replaces' single quotes, double quotes en curly > quotes so I tackle all possible problems and the same text as it was inputed > in the textarea is shown on the webpage. > > Thx in advance > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
