PHP and Mysql - issue with submitting html to the db

[shadowwyvern]

Alright, I am somewhat new to hph and programming in general, with very little experince, so go easy on me

I am trying to sumbit a block of html code, complete with lots of double quotes, to a MYsql database using php.

Here is my query to do so:

$query = "UPDATE content SET content = '$content' , lastedit = '$date' WHERE page = '$page'";

It works fine with a single simple bunch of characters, like "hello world" and "<br>", but seems to fail when i give it large blocks of code, like what you would seen on a webpage. Gives me an invalid syntax, even though the syntax is actually good. I think that somehow it is terminating it eraly due to a quote or soemthing, even though i can find none in my code.

How can I amke this treated as a single string regardless of what is in it?

 

[jrbryner]

How are you submitting the HTML? If it's in a form using the GET method, the URL has a maximum length that may be cutting off the end of your submitted data. Try using the POST method instead.

If that's not the case, see if you can submit the data in something like PhpMyAdmin and that will let you know if there's something wrong with your code.

 

[devourment77]

In php, before you insert into the mysql, use the addslashes function. It will fix any quote issues. Then when you display the info from the database, use the stripslashes command to get rid of them (although sometimes you do not have to do this).

 

[shadowwyvern]

Doing it via post, much neater. I will try the add slashes command. Thanks very much.

 

[v6maro]

I was going to suggest the same thing, addslashes. Another tip, if you are having return characters user nl2br(). Also if you are doing URL encoding, use htmlspecialchars().

All of this info can be found on php.net in the function help files, which show examples and are very helpful.

 

[missionzero00]

As long as you're dealing with mysql, you might want to use mysql_real_escape_string() instead of addslashes since it uses mysql's backend for escaping the string. It looked like there were two or so other characters that it escaped that addslashes doesn't. You should also consider using strip_tags to remove any tags you that you don't want to allow. You should also be sure to check that they aren't submitting any php code in their post as that would be a big security hole.

 

[shadowwyvern]

This whole thing is going to be administered by a few people, all of whom would not want to mess up the site (as it is thier direct reposnsibility). Anyhow, any submitted data is just echoed back.

 

[matoch]

If you use prepared statements I don't think you need to worry about escaping the data at all. It should do that for you automatically.

James