I have a PHP MySQL database which I will be storing all my information in开发者_开发技巧. I have a text field on a HTML page that the user can add data to and then on submit a MySQL query inserts this information into a database. Pretty standard stuff.
However, I am now in a position where I can attach a TinyMCE or FCKEditor onto my text field (now a text area). My question is: How do I get this information into the database now, taking into account that the tags will affect the MySQL query, and stripping any tags would impair the display of said information on another page?
I know about strip_tags and similar PHP features but my problem isn't going to be with the PHP it's going to be with the database input with MySQL, any " or ' or ; will break the query and removing these tags before input would remove any format enhancements the user has made.
I am under the assumption also, that if I use mysql_real_escape_string I would need to strip the slashes before I display the data - and this would take all the slashes out of the close tags as well: ,
etc.You need to escape the value before you insert it in your SQL statement. If you use the mysql extension, you use the mysql_real_escape_string
to do this:
$text = mysql_real_escape_string($_POST['text']);
It escapes characters such as quotation marks, so you can safely insert the value in database.
Look at this:
http://php.net/manual/en/function.mysql-real-escape-string.php
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
精彩评论