The string-
<object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/ebopIWPoXI0?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/ebopIWPoXI0?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object>
What gets stored in the database –
<object width=\"480\" height=\"385\"><param name=\"movie\" value=\"http://www.youtube.com/v/ebopIWPoXI0?fs=1
Already using – mysql_real_escape_string(), which doesn’t help with the &:
$_POST['desc'] = mysql_real_escape_string($_POST['desc']);
mysql_query('INSERT INTO user_showcase( title, description, user_id, date_n_time) VALUES( "'.$_POST['title'].'", "'.$_POST['desc'].'", "'.$_SESSION['uid'].'", NOW())') or die(mysql_error());
mysql_close($con);
The HTML –
<textarea id="desc_in" cols="40" rows="10"></textarea>
mysql_real_escape_string() is the proper mechanism if you are using the legacy MySQL library. If you are getting all those additional backslashes it’s probably because your PHP environment is very old. Run
<?php phpinfo(); ?>and find the directives that start withmagic_:Ideally, they should all be disabled. If you run PHP as Apache module, you can change it in an
.htaccessfile:If you run PHP as CGI, you’ll probably have a custom
php.inifile somewhere in your account.As already mentioned,
&is not a special char for MySQL.Answer to updated question
The standard string delimiter in SQL is the single quote, not the double quote: