This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I have a script that enables artists to edit their profile. One thing is proving to be a problem. I cannot how to sanitize what the user has entered. Everytime a ' is put in the data is not shown as it cuts the php short.
Here is my form for bio:
username = $_SESSION['username'];
$pass = $_SESSION['password'];
include ("../database.php");
$result = mysql_query("SELECT * FROM members WHERE username='$username' AND password='$pass' AND artist='Y'");
while($row = mysql_fetch_array($result)){
echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
<textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
<div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>
</div>';
Here is the script that uploads to database;
$username = $_SESSION['username'];
$pass = $_SESSION['password'];
$artistname = $_POST['artistname'];
$bio = $_POST['bio'];
include ("../database.php");
mysql_query("UPDATE members SET bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass' AND artist='Y'");
$artisturl = mysql_query("SELECT * FROM members
WHERE username='$username' AND password='$pass' AND artist='Y'");
while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php? artist=".$row['artistname']."");}
}
}
else echo'<p1>You must be an artist to use these features.</p1>';
Yes, I am aware i need to upgrade to mysqli and I am aware I need to use prepared statements. Need to sort this out first though.
</div>
