I am using mysqli to insert a text value into a record, but if there is an ampersand in the textbox anything following the ampersand gets cut off. This isn’t obvious, of course, until trying to retrieve the text to view it.
I found to today the mysqli:real_escape_string() doesn’t do anything with ampersands. How can I avoid losing my data?
Dont escape input, use parameterized queries
This is a very simple answer, however the data type isn’t known up front. From what I see, when binding the parameters we must specify the data type. This person could have been updating an integer or a double or a string. Without rewriting much of my web site to include a data type specifier with each data field, I have no way of knowing what is being sent to the server.
So, is there something I can do right now in my database class to resolve the ampersand issue?
Ah, another limitation of mysqli then. With pdo that isnt an issue as you dont have to specify type. Will try to look into it