Home/ Questions/Q 8551005
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T14:05:48+00:00

I’m using the following form code: <form enctype=multipart/form-data action=process.php method=POST> <input type=text name=draftTitle/> <textarea

  • 0

I’m using the following form code:

<form enctype="multipart/form-data" action="process.php" method="POST">
 <input type="text" name="draftTitle"/>
 <textarea name="draftText" class="draftText"></textarea>
 <input type="file" name="uploadfile"/>
 <button class="draftSubmit">Add</button>
</form>

As you can see the form contains field for both text and files. When I submit the form with an apostrophe in the textarea nothing get’s submitted. In process.php I’m stripping slashes and properly sanitizing the POST data but it seems the problem is related to the from enctype. Any ideas on how to prevent the apostrophe from messing up the syntax?

UPDATE: This is the output from the form:

-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="MAX_FILE_SIZE"\r\n\r\n4000000\r\n-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="userID"\r\n\r\n2\r\n-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="lineID"\r\n\r\n1\r\n-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="draftTitle"\r\n\r\nThis is my title\r\n-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="uploadfile";
filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------276443266232757\r\nContent-Disposition: form-data;
name="draftText"\r\n\r\nIt's my description with an apostrophe in it.\r\n-----------------------------276443266232757--\r\n

As you will see there are a few extra fields. I removed them above to simplify the question.

UPDATE

I’m using the following code to insert to the database.

$query = "INSERT INTO posts (line_id, user_id, stamp_title, element, type) VALUES ('$line_id', '$user_id', '$stamp_title', '$data', '$type')";
mysql_query($query);

Solved:
I added mysql_real_escape_string and it worked. Thanks to all who helped!

$data = mysql_real_escape_string($data);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If your form submission is:

    -----------------------------276443266232757
Content-Disposition: form-data; name="MAX_FILE_SIZE"

4000000
-----------------------------276443266232757
Content-Disposition: form-data; name="userID"

2
-----------------------------276443266232757
Content-Disposition: form-data; name="lineID"

1
-----------------------------276443266232757
Content-Disposition: form-data; name="draftTitle"

This is my title
-----------------------------276443266232757
Content-Disposition: form-data; name="uploadfile"; filename=""
Content-Type: application/octet-stream


-----------------------------276443266232757
Content-Disposition: form-data; name="draftText"

It's my description with an apostrophe in it.
-----------------------------276443266232757--

    Which is perfectly fine, your apostrophes are there.

    However, from this to:

    $query = "INSERT INTO posts (line_id, user_id, stamp_title, element, type) VALUES ('$line_id', '$user_id', '$stamp_title', '$data', '$type')";
mysql_query($query);

    Seems to be the issue, since you’re using apostrophes in your SQL insert. You should call mysqli_real_escape_string() or PDO::quote() (if you have that extension) on each of your input variables.

    • 0