Page 1 of 1

PHP double quotes in input

Posted: Sun Jan 16, 2011 10:15 am
by sshaham1
I'm designing a website that takes user input from in a <textarea></textarea> and enters the input into a database. Everything works besides if the user has double quotes (") in his/her message. (the name of the table that I want to add to is alluserposts)

What i have so far is the following:
from index.php:
<form action="insert2.php" method="post"><textarea name="user_post" rows="6" cols="35"></textarea></form>

from insert2.php:
mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $_POST['user_post'] . "\")" ,$db) or die(mysql_error($db));

I want the user to be able to input any character. How can i do that?

Re: PHP double quotes in input

Posted: Sun Jan 16, 2011 12:21 pm
by jankidudel
Have you tried to use some function like mysql_real_escape_string ?

Re: PHP double quotes in input

Posted: Sun Jan 16, 2011 9:18 pm
by Jonah Bron
You must _always_ use mysql_real_escape_string() to clean user input for MySQL queries. Not doing so introduces problems like the one you're experiencing now, and a more dangerous issue called "SQL Injection".