tags:

views:

30

answers:

5
Q: 

MYSQL insert string from html's text area with semi-colon...advise?

Hey ya guys

This is in regards to PHP, Mysql and Html's textarea.

I want to dump a user's input from html's textarea into my mysql database. The situation is that if the user has semi-colons within the text itself, mysql will reject the insert command for obvious reasons. What I want to know is that are there any ways to force mysql to take in a user's input regardless of its syntax?

Much appreciated in advance :)

+3  A: 

You need to escape any SQL special characters, such as semi-colon. mysql_real_escape_string might be useful.

Don't forget to escape user input if you send it back to a browser, otherwise you will be vulnerable to XSS (cross-site scripting) attacks. Of course, this time you'll need to escape HTML special characters, not SQL.

Cameron Skinner  2010-10-19 23:47:28
A: 

Any text fields should be escaped using the php function "mysql_real_escape_string" before being inserted into MySQL:

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

orvado  2010-10-19 23:49:39
A: 

The above answer is correct, but to add to what he said, you can use strip_tags() to sanitize output to avoid XSS.

Glenn Nelson  2010-10-19 23:50:22
A: 

I want to dump a user's input from html's textarea into my mysql database. The situation is that if the user has semi-colons within the text itself, mysql will reject the insert command for obvious reasons.

No, it won't because the semicolon is inside single quotes -- it doesn't require escaping. IE:

CREATE TABLE `new_table` (
  `id` int(11) NOT NULL,
  `col` varchar(45) DEFAULT NULL,
  PRIMARY KEY (`id`)
)

INSERT INTO new_table VALUES (1, 'test;')

...will insert just fine.

The bigger issue is that allowing other characters leaves you open to scripting attacks, because people could insert a javascript scriptlet in the textarea that will execute on the page load.

OMG Ponies  2010-10-19 23:52:46
A: 

Much appreciated guys. Worked perfectly.

A small follow up question, is there a big difference between textarea and traditional text boxes? The reason why I ask this is because it seems like when I retrieve data from the database, strings that contains colons etc, have no problems being displayed inside a textarea but would not display if it was a text box.

Jase  2010-10-20 01:55:26

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?