Skip to main content

Apostrophe issue when inserting into MySQL

Image
By User



I have a script where I submit some fields that get entered into a MySQL database when I submit it now it goes through successfully but never gets inserted into the database if one of the fields has an apostrophe. What can I modify to get this to work?







if ($_POST) {

$name = trim($_POST['your_name']);

$email = trim($_POST['your_email']);

$answers = $_POST['answers'];

$i = 0;

foreach ($answers as $a) {

    if (trim($a))

        $i++;

}



if ($name && $email && $i >= 40) {

    $array = array();

    $q = mysql_query("select * from fields");

    while($f = mysql_fetch_array($q))

        $array[$f['label']] = $answers[$f['ID']];



    $array = serialize($array);

    $time = time();

    $ip = $_SERVER['REMOTE_ADDR'];

    $token = md5($time);



    $result = mysql_query("insert into data (submit_name, submit_email, submit_data, submit_confirm, submit_time, submit_ip, submit_token) 

        values ('$name', '$email', '$array', '0', '$time', '$ip', '$token')");




Labels:

Comments

  1. AdminJanuary 14, 2012 at 4:36 AM

    You need to escape characters with special meaning in MySQL in your data.

    The quick and dirty way to improve your code would be to pass all your strings through mysql_real_escape_string before inserting them into your string of SQL.

    The better approach would be to switch away from mysql_query to something that allows the use of bound parameters (preferably with prepared statements).

    ReplyDelete
  2. AdminJanuary 14, 2012 at 4:36 AM

    Use mysql_real_escape_string(), as this will both fix your apostrophe issue and at least partly help avoid SQL injection attacks. If you don't want to get your hands dirty with PHP's built-in PDO library, you might consider a Database Abstraction Layer (DBAL). ADODB is an example.

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

By User
I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...
3 comments
Read more

Is it possible to have IF statement in an Echo statement in PHP

By User
Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.
5 comments
Read more