[RESOLVED] Data Type to use for strange characters

saltious

hello fellow geeks!

i am building a helpdesk system for my office.
i am using mysql, php and IIS 6.

i am making good progress but they data type i have used for my main fault entry field is not good. if you type a an apostrophy or \'s etc it crashes or removes it.

i understand this is because of the data type i used for the field... which was text.

does anyone know what datatype will not moan at any character or what i need do php wise so that any character any user enters is saved accordingly and does not crash the form?

i know its possible cos i have writen them in this thread and they will show properly on the forum without causing issue.

many thanks all! Your Great!

bradgrafelman

saltious wrote:
i understand this is because of the data type i used for the field... which was text.

TEXT, VARCHAR, CHAR, etc. can all handle apostrophes, backslashes, even accented characters just fine - you have to handle the data properly, however.

It sounds like you're doing something like this:

$msg = $_POST['msg'];

$query = "INSERT INTO myTable (message) VALUES ('$msg')";

which is very, very bad. User-supplied data should never be placed directly into a SQL query. Instead, it should first be sanitized with a function such as [man]mysql_real_escape_string/man.

saltious

Bingo!!

lesson learned

Nice One!!

sfullman

you can run phpinfo() on a page to see if magic_runtime_quotes is turned on. If so it will add slashes to both GET and POST requests from the user. I have found this to work without a problem. However, if you ever get data from an sql query within your page coding, remember it does NOT have slashes added, so to put it back in the database you need to invoke addslashes() on it if it's a char, varchar or text etc. field type and there's any chance there is a ' or ".

Samuel

Weedpacket

Better yet, use the PDO extension and have it handle the escaping for you (among other things).