0
When I insert into the <input> COMMENT ON A POST a single quote. ', he makes the whole row existing comment, if I put two quotes, '', he returns only one ('), if I put 3, it all goes away and if I put '-' he returns 0.
HTML:
<form id="comentario" method="POST" action="assets/php/post.php">
<input type="hidden" value="<?php echo $id_string; ?>" id="id-publi" name="id">
<input id="input-comentario" name='i-comentario' type="text" class="comentario" placeholder="Digite seu comentário">
<center>
<button class="btn waves-effect waves-light btn " type="submit" id="publicar-button" style="display: none" >Publicar</button></center>
</form>
PHP:
elseif(isset($_POST['comentario'])){
$email=$_COOKIE['login_user'];
$sqlemail="SELECT nome,sobrenome,id FROM usuarios WHERE email='$email'";
$result=$conn->query($sqlemail);
$row=$result->fetch_assoc();
$usuario=$row['id'];
$publicacao=$_POST['id'];
$comentario=$_POST['comentario'];
$sqlcom="INSERT INTO comentario(comentario,id_usuario,id_public) VALUES('$comentario',".$row['id'].",$publicacao)" or die($conn->error);
if($conn->query($sqlcom)===true){
$querl="SELECT * FROM comentario WHERE id_public='$publicacao' and id_usuario='$usuario'";
$resull=$conn->query($querl) or die($conn->error);
$rowl=$resull->fetch_array();
$querp="SELECT * FROM publicacao WHERE id_public='$publicacao'";
$resulp=$conn->query($querp) or die($conn->error);
$rowp=$resulp->fetch_array();
$sqlnoti="INSERT INTO noti(usuario,usuario2,comentario,lido)VALUES('".$rowp['id_usuario']."','".$row['id']."','".$rowl['id_com']."',0)";
$resultnoti=$conn->query($sqlnoti) or die($conn->error);
$rownoti=$conn->affected_rows;
$queryfoto="SELECT * FROM infocomplementar WHERE id_usuario='".$row['id']."'";
$resultfoto=$conn->query($queryfoto) or die($conn->error);
$rowfoto=mysqli_fetch_array($resultfoto);
$nome=$row['nome'];
$sobrenome=$row['sobrenome'];
$diretorioperfil="assets/usuarios/fotoperfil/";
$id_publi=$publicacao;
include "../../comentarios.php";
}
Can someone help me find a solution ?
Take Else out of the front of the if la at the beginning and put a key lock at the end of the code.
– Luis Alberto Batista
The fact that he has Else is due to that is the post.php, where the post is made of various types of content, but only in this quie
– Pedro Cordista
Try to trade
$comentario=$_POST['comentario'];for$comentario = addslashes($_POST['comentario']);, This will make the text escape... If it doesn’t work, tryhtml_entities($_POST['comentario'])– edson alves