I've been experimenting with mysql_real_escape_string() and found that it deletes all content in a field, so where I had $message = ($_POST['message']); in the php file to process a form I got an entry in a database but when I edited the form php to $message = mysql_real_escape_string($_POST['message']); it sent the form data to the database with all the other fields but the message field was empty.It did this whether I used Tizag.com's example of ' OR 1' inside ' which is supposed to be escaped and also when I just entered normal text.
Probably the easiest way to do it would be to add a variable to the url on the view page: view.php?As I can't get my host to update my My SQL today, I've looked for an alternative.I've just added this into your page:- $lastname = stripslashes($lastname); after $lastname = mysql_real_escape_string(htmlspecialchars($_POST['lastname'])); and it works to maintain " or ' in the database text without the \ and shows " and ' in a web page without the \ , but I wonder if it has disabled the escape and therefore left me open to sql injection !!For example, you'll not only need to make sure it's a numeric value, but also that the number isn't negative and that it won't try to display results that aren't in the database (for example, what if the id value is "3", meaning that the query would show results 30-40, but there are only 20 records in the database table? I am considering turning this tutorial into a video tutorial, so perhaps I'll look into adding this feature if/when I do that.To anyone who is interested, I am going to do a video tutorial on this topic that should explain how I go about this a little better than the code I have provided. I may also do a separate non Killer Sites version showing some of the basics of Code Igniter as well... Code Igniter is a PHP framework and from what I've seen, it is pretty good.