Submited Form

treeleaf20

All,
I have a form and it works fine if there aren't any apostrophes or quotations in it, but if they are added it fails. How can I fix this?

Thanks in advance.

johanafm

No such characters in what? In the action attribute? In a textnode inside the form? In the value attribute of a select or input element, and if so, does "it fails" refer to rendering the page or hadnling data in the post request?

treeleaf20

Yeah, it's an input textarea and it's the text that goes inside of it when I try and post the form. The post handles correctly but the mysql statement to get the data in the database fails.

johanafm

That's because you need to quote strings in SQL statements

INSERT INTO a(textfield) VALUES('somestring');

And if you build the string with a variable in php you risk breaking things up. Potentially very bad things can happen.

$var = "not ' a good idea to let this through without escaping it";

$qry = "INSERT INTO a(textfield) VALUES('$var')";
echo $qry;

output of the above

INSERT INTO a(textfield) VALUES('not ' a good idea to let this through without escaping it');
                                                           ^
                                                            |
                                       See here... the string is terminated.

What should the DB do with the rest of the line?

Some dbs have functions to deal with this, for others you need to deal with it on your own. e.g. MySQL has mysql_real_escape_string(). See php.net for documentation.

And just to point out how bad things can end up without properly sanitizing user input, I give you this (thanks to laserlight)