Monday 7 January 2019

php - String Containing double quotes is inserted incomplete in DB

You need to escape your quotes.



If your DB is MySQL, pass all your data through the mysql_real_escape_string() function before saving them to the DB.



If you don't do this, you risk major security holes in your code, not just data going missing!



(in case you aren't doing it already, you should also be escaping other data for other purposes as well; eg data being sent back to the browser should be escaped to prevent rogue users adding raw HTML or Javascript code to it to manipulate your site.



There are a number of functions in PHP to deal with adding and removing escape characters and data filtering. If you want your site to be secure, you need to learn these functions and techniques.




[edit]



After seeing your edit:



Firstly, you need to escape all the strings in your query, not just the description, so add escaping to $_POST['logoimage1'], etc, as you'll have the same problems if any of those contain quotes.



However the escaping on the description field looks correct so I don't know why it would be truncated. The man page for mysql_real_escape_string() states that it escapes double and single quotes, so it should be okay for you. You can test this by print()ing the fully escaped SQL string; this will show if there's anything left unescaped.



Shot in the dark - have you checked the maximum length of your description field in the database? That could also cause string truncation.. unlikely though; I imagine if you're inputting with a textarea you'll have set it up to be long enough.

No comments:

Post a Comment

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...