StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCan I use htmlentities() in an SQL query?
text
Body
copied!<p>Much thanks for the discussion my original question generated. I took Jay's suggestion to use bind_param(), but there is something I don't understand about it that may be giving me the Server Error: "The website encountered an error while retrieving...". I don't know what the parameter 'sssd' that came with the example means.</p> <p>Any suggestions as to what is generating the Server Error are much appreciated.</p> <pre><code><?php $mysqli = new mysqli('my-database-address', 'my-username', 'my-password', 'my-database-name'); f (mysqli_connect_errno()) { printf("Connect failed: %s\n", mysqli_connect_error()); exit(); } $stmt = $mysqli->prepare("INSERT INTO volunteers VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"); $stmt->bind_param('sssd', $first_name, $last_name, $street_address, $apt_unit, $city, $zip, $email, $phone, $planning, $signatures, $canvassing, $phone_bank, $media, $press_releases, $volunteer_coordinator, $speaker, $house_parties, $web_page, $other, $skills, $organizations); $first_name = '$_POST[first_name]'; $last_name = '$_POST[last_name]'; $street_address = '$_POST[street_address]'; $apt_unit = '$_POST[apt_unit]'; $city = '$_POST[city]'; $zip = '$_POST[zip]'; $email = '$_POST[email]'; $phone = '$_POST[phone]'; $planning = '$_POST[planning]'; $signatures = '$_POST[signatures]'; $canvassing = '$_POST[canvassing]'; $phone_bank = '$_POST[phone_bank]'; $media = '$_POST[media]'; $press_releases = '$_POST[press_releases]'; $volunteer_coordinator = '$_POST[volunteer_coordinator]'; $speaker = '$_POST[speaker]'; $house_parties = '$_POST[house_parties]'; $web_page = '$_POST[web_page]'; $other = '$_POST[other]'; $skills = '$_POST[skills]'; $organizations = '$_POST[organizations]'; $stmt->execute(); $stmt->close(); echo "<br /><br />"; echo "<div class='center-col-wrap'>"; echo "Your information has been received."; echo "<br /><br />"; echo "Thank you for volunteering!"; echo "<br />"; echo "Your help in this effort to bring greater democracy to Oakland"; echo "<br />"; echo "will go a long way to create a healthy and informed community."; echo "<br />"; echo "<br /><br />"; echo "<a href='http://communitydemocracyproject.org/'>Return to CDP Home Page.</a>"; echo "</div>"; $mysqli->close(); ?> </code></pre> <p>MY ORIGINAL QUESTION IS BELOW:</p> <p>I didn't know if this would work or not. It does not So how can I use <code>htmlentities()</code> here? </p> <p>Any help is much appreciated.</p> <pre><code>$sql="INSERT INTO volunteers (first_name, last_name, street_address, apt_unit, city, zip, email, phone, planning, signatures, canvassing, phone_bank, media, press_releases, volunteer_coordinator, speaker, house_parties, web_page, other, skills, organizations) VALUES ('htmlentities($_POST[first_name])','htmlentities($_POST[last_name])','htmlentities($_POST[street_address])', 'htmlentities($_POST[apt_unit])','htmlentities($_POST[city])','htmlentities($_POST[zip])', 'htmlentities($_POST[email])','htmlentities($_POST[phone])','$_POST[planning]','$_POST[signatures]','$_POST[canvassing]','$_POST[phone_bank]', '$_POST[media]','$_POST[press_releases]','$_POST[volunteer_coordinator]','$_POST[speaker]', '$_POST[house_parties]','$_POST[web_page]','$_POST[other]','htmlentities($_POST[skills])','htmlentities($_POST[organizations])')"; </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload