The code below takes a string protects its using mysqli_real_escape_string.
but not geting expected output working fine without the mysqli_real_escape_string but need that for protection.
$str = mysqli_real_escape_string($con,$_POST['str']);
/*
get each word in the sentence using for-loop then
*/
switch($eachword){
case ':)': $eachword = '<img src="smile.gif">';
break;
/*
and so forth and so on
*/
}
$newstr .= $eachword;
//for-loop ends
**mysqli_query($con,"insert into tbl(comment)VALUES($newstr)");**
e.g
input : $str = "here i am :) fine";
expected output : $newstr="here i am <img src="smile.gif"> fine";
curernt output : $newstr="here i am :) fine";
UPDATE
NOW everything works fine. Thanks to supporters.
UPDATED
Note that you must be already connected to a database, for mysqli_real_escape_string to work, because it takes into consideration, the default character set of your selected database. Are you connecting to a database before using it?
And in your question, I don't even see a query. There will be no advantage in using mysqli_real_escape_string unless you're going to insert the passed string into a database.
Now I see that you're replacing smileys with tag, then you're inserting it into a database. However, if I were you, I would do the following :
function ParseSmiley($str)
{
$smileys = array(
':)' => "<img src='smile.gif' />" //Put all your smileys in this array
);
$parsed_string = strtr($str, $smileys);
return $parsed_string;
}
When you're inserting your content into database, do not convert it into tags. Instead, when you display it, use the function ParseSmiley()
$parsed_string = mysqli_real_escape_string($con,$_POST['str']);
mysqli_query($con,"INSERT INTO tbl (comment) VALUES ($parsed_string)");
Then when you want to display the content, let's say the string is in $content, display it like this :
echo ParseSmiley($content);