How do I make <textarea> only recognize apostrophes as text?
In simple terms, "texarea" on my website is like a text message, it allows users to enter text and post it on the page. I just found out that it treats the text as some kind of code, possibly SQL.
When I typed "Hi, we're fine," the apostrophe in "we" caused some confusion.
The error message displayed in the browser:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're all set')' at line 1
Just in case you're wondering, here's the html:
<form action="comi.php" method="post">
<textarea maxlength="227" type="text" name="input" cols="45" rows="4"></textarea>
<input type="submit" value="POST" id="button" />
</form>
I thought it might have something to do with the database, can anyone help?
Thank you in advance:)
source to share
To prevent SQL injection, you must use Stored Procedures .
CREATE PROCEDURE saveText
@textArea nvarchar(50)
AS
SET NOCOUNT ON;
INSERT INTO myTable
(textArea)
VALUES
(@textArea)
GO
This way, you won't have a problem if you have "at your entrance".
source to share
You need to avoid the line you typed so the SQL engine doesn't get confused.
$input = $_POST["textarea"];
$safe_input = mysql_real_escape_string($input);
You need to use this in your sql statement.
Attention
As others are trying to tell you, you are leaving yourself open to sql injection attacks . After you work on it, you should read about it. There is a link in the comments.
source to share