Home/ Questions/Q 5985343
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T22:31:00+00:00

I am making a dynamic web page that allows people to post their favorite

  • 0

I am making a dynamic web page that allows people to post their favorite recipes. Below each recipe is a link that allows you to make a comment on the recipe. If you make a comment, the comment will be posted in the database UNLESS the comment has any apostrophes in it. Here’s the code for the addcomment.inc.php page:

<?php


$con = mysql_connect("localhost", "test", "test") or die('Sorry, could not connect to database server');
mysql_select_db("recipe", $con) or die('Sorry, could not connect to database');
$recipeid = $_GET['id'];
$query = "select title from recipes where recipeid = $recipeid";
$result = mysql_query($query) or die('Could not retrieve file: ' . mysql_error());

echo "<form action=\"index.php\" method=\"post\">\n";

if (mysql_num_rows($result) == 0) { 
    $title = "Unknown Title";

} 
else { 
    while($row=mysql_fetch_array($result, MYSQL_ASSOC)) { 
    $title = $row['title']; 
    }
}   

echo "<h2>Enter your comment for the recipe \"$title.\" </h2>";

echo "<textarea rows=\"10\" cols=\"50\" name=\"comment\"></textarea><br>\n";

echo "Submitted by:<input type=\"text\" name=\"poster\"><br>\n";

echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";

echo "<input type=\"hidden\" name=\"content\" value=\"addcomment\">\n";

echo "<br><input type=\"submit\" value=\"Submit\">\n";

echo "</form>\n";

?>

A different php file called addcomment.inc.php retrieves the information. This is the code below:

<?php

$recipeid = $_POST['recipeid'];

$poster = $_POST['poster'];

$comment = htmlspecialchars($_POST['comment']);

$date = date("Y-m-d");

$con = mysql_connect("localhost", "test", "test") or die('Could not connect to server');

mysql_select_db("recipe", $con) or die('Could not connect to database');

$query = "INSERT INTO comments (recipeid, poster, date, comment) " .

" VALUES ($recipeid, '$poster', '$date', '$comment')";

$result = mysql_query($query) or die('Could not query databse. ' . mysql_error());

if ($result)

echo "<h2>Comment posted</h2>\n";

else

echo "<h2>Sorry, there was a problem posting your comment</h2>\n";

echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";

?>

How can I make this code properly handle single quotes if inputted into a comment form?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Before you glue anything into the MySql query pass it through mysql_real_escape_string()

    Before you glue anything into HTML pass it through htmlspecialchars()

    This way you can prevent SQL injections, JavaScript/HTML injections and wildfires.

    • 0