View Single Post
Old 07-23-07, 08:42 PM   #5
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Re: Save coding to database

Two things, and I'm not being critical, but rather trying to be helpful.

1) From a security perspective, never, never trust user input. In this case you need to be sure to escape the mysql input or you'll end up with a fatal SQL injection vulnerability. Use the function mysql_real_escape_string();

2) \r\n are injected from multi-line text-area, because you're writing it out in another page you need to convert \r\n to a HTML <br> tag or use the <pre> HTML entity to have it properly treat \r\n.

What I think you should do:

Change:
Code:
$headline=$_POST['headline'];
To:
Code:
$headline=mysql_real_escape_string(str_replace("\r\n","<BR>",$_POST['headline']));
Understand I'm not being critical one bit but with respect to #1 I can't pound that into your head enough I'm always glad to help in any way I can, welcome to NVNews.
evilghost is offline   Reply With Quote