Forum Comment Section with PhP

StackOverflow https://stackoverflow.com/questions/21857648

Question

I'm a just a novice programmer, and i'm making a forum to improve my skills but i'm walking against a problem right now. This is the Problem with the code:

The problem is: we can't use Single Quotes and we want to use them and dubble quotes.

This is where it goes into the Database:

// get data that sent from form 
$topic=$_POST['topic'];
$detail=$_POST['detail'];
$name=$_SESSION['display'];
$email=$_POST['email'];

and this is a part of the form:

<tr>
    <td width="14%"><strong>Topic</strong></td>
    <td width="2%">:</td>
    <td width="84%"><input name="topic" type="text" id="topic" size="50" /></td>
</tr>
<tr>
    <td valign="top"><strong>Detail</strong></td>
    <td valign="top">:</td>
    <td><textarea name="detail" cols="50" rows="3" id="detail"></textarea></td>
</tr>

What do i have to add so we can Use single and dubble quotes? What do i have to do? because if some one uses a Single Quote the Message crashes..

This is the Error message that i give

if($result){
echo "Successful<BR>";
echo "<a href=index.php>View your topic</a>";
header("Location: localhost/forum/");
}
else {
echo "ERROR";
}

And this is where it goes in: 

$sql="INSERT INTO $qtbl_name(topic, detail, name, email, datetime)VALUES('$topic', '$detail', '$name', '$email', '$datetime')";
$result=mysql_query($sql)

;

No correct solution

OTHER TIPS

You're running in a thing called "sql injections" and this is a serious problem you should care about.

Please read http://php.net/mysql_real_escape_string and use this function to escape special characters of your input data.

It seems, that you have a query like:

$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"

So your generated query-string is maybe like

$topic = "foobar";
$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"
echo $query;

will result in:

INSERT INTO tbl (`topic`) VALUES ('foobar');

which is nice. but:

$topic = "f'); delete from tbl;";
$query = "INSERT INTO tbl (`topic`) VALUES ('$topic');"
echo $query;

will return:

INSERT INTO tbl (`topic`) VALUES('f'); delete from tbl;

and this is not what you wish going to happen.

To reach the next level of your programming skills in PHP you should read the PDO-documentation (http://php.net/pdo) and learn more about the use of parameters in a sql statement :)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top