Instead of avoiding the <
and >
you could convert them at the time of reading (remember in INSERT it is better to keep the original as it was written), then at the time you use SELECT the <
and >
will be converted to <
and >
, thus avoiding injecting HTML into the page, but being able to keep the text as close as the author wrote.
Another thing you should prevent not only the "injection" of HTML, but also the "injection" of mysql (or syntax failures), use mysql_real_escape
$autor_id = mysql_real_escape($_POST["autor_id"]);
$texto = mysql_real_escape($_POST["texto"]);
$query = "INSERT INTO `videos` ( `autor_id` , `texto`, `id` ) VALUES ('$autor_id', '$texto', '')";
mysql_query($query,$conexao);
In reading use htmlspecialchars
, example:
$query = 'SELECT autor_id, id, texto FROM `videos` LIMIT 30';
$consulta = mysql_query($query, $conexao);
while ($linha = mysql_fetch_assoc($consulta)) {
echo 'texto: ', htmlspecialchars($linha['texto']), '<br>';
}
Old Mysql Api for PHP vs PDO and Mysqli
As has been said a few times in Sopt:
The php API mysql_
will be discontinued (Does not mean mysql will be discontinued, only the PHP API) as it has been replaced by mysqli_*
, then it is strongly recommended that you update your codes to use or mysqli
or pdo
Advantages of mysqli
- Object Oriented Interface (Object-oriented interface)
- Support for Prepared Statements
- Support for Multiple Statements
- Support for transactions (Transactions)
- Improvement in debugging capacity
- Support for embedded server
Advantages of PDO
As was said by @Kazzkiq:
Perks:
- Works with 12 different database drivers (4D, MS SQL Server, Firebird/Interbase, Mysql, Oracle, ODBC/DB2, Postgresql, Sqlite, Informix, IBM, CUBRID);
- Object Oriented API;
- Has named parameters;
- It has customer side Prepared statements (see disadvantages below)
Disadvantages:
- Not as fast as
MySQLi
;
- By default, it simulates Prepared statements (you can turn on the native version by setting up its connection to the database, but in case the native version doesn’t work for some reason, it resets the Prepared statements without firing errors or warnings. More details here)
Why update your codes
Like I said in this reply, it is necessary to note that the functions mysql_
no longer receive updates such as fixes and improvements and this is the vital point for you no longer to use the mysql_
, because in the future it will soon cease to exist for the new versions of PHP.
In other words, if you continue to function mysql_
(without the i
), two situations can happen with your projects:
- There may be gaps in API security
mysql_
or bugs.
- When the API
mysql_
if disabled, your scripts will stop working, which will cause you a lot of headache as you will have to redo several codes.
How to use mysqli with your code
The insertion can be like this:
$autor_id = mysqli_real_escape_string($_POST["autor_id"]);
$texto = mysqli_real_escape_string($_POST["texto"]);
$query = "INSERT INTO `videos` ( `autor_id` , `texto`, `id` ) VALUES ('$autor_id', '$texto', '')";
mysqli_query($query,$conexao);
In reading use htmlspecialchars
, example:
$query = 'SELECT autor_id, id, texto FROM `videos` LIMIT 30';
$consulta = mysqli_query($query, $conexao);
while ($linha = mysqli_fetch_assoc($consulta)) {
echo 'texto: ', htmlspecialchars($linha['texto']), '<br>';
}
However you can use the Prepared statements, so you won’t need to use mysqli_real_escape_string
, example of data entry:
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit;
}
$autor_id = $_POST["autor_id"];
$texto = $_POST["texto"];
if ($stmt = $mysqli->prepare("INSERT INTO `videos` ( `autor_id` , `texto`, `id` ) VALUES (?, ?, '')")) {
$stmt->bind_param('i', $autor_id);
$stmt->bind_param('s', $texto);
$stmt->execute();
while ($linha = $result->fetch_assoc()) {
echo 'texto: ', htmlspecialchars($linha['texto']), '<br>';
}
$stmt->close();
}
$mysqli->close();
Documentation:
Could you help me with her?
– Paulo Cavalcante
If any answer helped you or solved your problem, take a vote and mark it as the correct answer, otherwise give more details about what you tried and the results you got. Always vote and choose the right answers is good practice and helps other users.
– user3603