Ok so I've got a simple page editor:

$update = mysql_query("UPDATE pages SET body='$_POST[content]' WHERE id='$_GET[id]'") or die(mysql_error());
die("<b>The page has successfully been updated!</b>");
but if I in the text area where you edit I put a " or ' it gives me an error that says this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll' WHERE id='1'' at line 1

Obviously it's the ' in the mysql query but how do I prevent?

BTW: it has ll 'cos for the example I wrote ya'll

http://php.net/manual/en/function.mysql-real-escape-string.php
http://www.php.net/manual/en/function.addslashes.php
http://www.php.net/manual/en/function.stripslashes.php

Have a look through those, it should help :)


$update = mysql_real_escape_string(mysql_query("UPDATE pages SET body='$_POST[content]' WHERE id='$_GET[id]'")) or die(mysql_error());
die("<b>The page has successfully been updated!</b>"); You really should be sanitising your data input too, hence why this is happening. Another few good things to pick up on are:

http://php.net/manual/en/function.htmlspecialchars.php
http://www.php.net/manual/en/function.htmlspecialchars-decode.php
http://www.php.net/manual/en/function.strip-tags.php

<?php

$id = mysql_real_escape_string($_GET['id']); // gets the ID from the page. blah.php?id=1

// This below will check to make sure the page actually exists in the database... //
$check_id = mysql_num_rows(mysql_query("SELECT * FROM `pages` WHERE `id`='$id' LIMIT 0,1"));

if(!$check_id) {
exit("Page does not exist."); // page doesn't exist.
}

$content = mysql_real_escape_string($_POST['content']);

$update = mysql_query("UPDATE `pages` SET `body`='$content' WHERE `id`='$id'") or die(mysql_error());

echo "<strong>The page has been updated successfully!</strong>";

?>