Azyrus Azyrus - 1 month ago 6
PHP Question

Preparing HTML Form Input for SQL Database using PHP

I'm currently testing a html form which sends the data through php to the sql database. The problem I'm facing is special characters break the form and don't update the database. I haven't tested all the special characters but mainly

`
and
'
are the culprits. I've tried mysql_escape_string, preg_replace and add_slashes with no success. What am I missing?

$description = preg_replace('/[^A-Za-z0-9\ %&$=+*?()!.-]/', ' ', $_POST['description']);
$description = preg_replace("/[\n\r]/"," ",$description);

// Items Insert
foreach ($item as $index=>$value) {
$sqlItems .= "
INSERT INTO quote_items (quote_id, item, description, amount, gst)
VALUES ('$last_id', '$item[$index]', '$description[$index]', '$amount[$index]', '$gst[$index]');
";
}


Thanks in advance!

Answer

you can try this (a little dirty) but it should allow those 2 characters to be saved

$sqlItems .= '
    INSERT INTO `quote_items` (quote_id, item, description, amount, gst)
    VALUES ("'.$last_id.'", "'.$item[$index].'", "'.$description[$index].'", "'.$amount[$index].'", "'.$gst[$index].'");
';

EDIT: sorry had the quotes reversed