The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End PHP Quotes Within MYSQL results Reply To: PHP Quotes Within MYSQL results


I think this is how mysql injections happen.

Same idea, but different arena: this is HTML injection (better known as XSS (Cross-Site Scripting)).*

* side note: it’s not PHP that is doing the “interpreting,” here. PHP just prints it. After that, we’re worried about how the browser interprets it.

You need to encode the quotes, so they are displayed as quotes (and not interpreted as delimiters). Read up on htmlspecialchars, particularly the usage of the various flags.