You need to escape your strings, looks like mysql_real_escape_string will do the job in PHP.
Albin Sunnanbo
2010-10-17 06:30:30
+5
A:
+5
A:
Are you escaping the HTML before attempting to insert it into the database? Assuming your HTML is stored in the variable $html
$html = mysql_real_escape_string($html);
$sql = "INSERT INTO html_docs (html) VALUES('$html')";
mysql_query($sql);
mellowsoon
2010-10-17 06:30:33
+3
A:
The normal advice is don't concatenate parameters and code to build the SQL; use static SQL and pass data as parameters. All decent SQL APIs have parameter-binding mechanisms.
However, AFAICT, there is no such mechanism in PHP database APIs. Instead, it seems that you should use mysql_real_escape_string to escape strings before injecting them into your SQL statements. Please, someone tell me that I'm wrong and that the PHP authors aren't that stupid.
Marcelo Cantos
2010-10-17 06:31:02
There is a thing called PDO which can do this. AFAIK it's not in PHP by default.
cherouvim
2010-10-17 06:33:59
So what do i use, when i want to print as normal HTML again. I mean sometimes the data appears as <img src=//"0 ....Without the image being actually shown. Is there something like mysql_get_back_original_form_of_the_string()
Zach Wild
2010-10-17 06:41:45
This should never happen. It's difficult to provide any advice, however, without seeing some relevant snippets of code.
Marcelo Cantos
2010-10-17 06:48:53
@Zack - Escaped strings aren't stored in the database escaped. When you query the database you'll get your string back unescaped. This may be helpful to you http://www.php.net/manual/en/security.magicquotes.disabling.php
mellowsoon
2010-10-17 07:19:26