tmyonline Posted May 8, 2008 Share Posted May 8, 2008 Guys: I have a problem writing messages to database whenever my message contains " ' ". For example, if my message contains: he's, he'll, I'm, we're,..., it fails to write the message to database. How do I resolve this astrophy problem ? Thanks. Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 8, 2008 Share Posted May 8, 2008 mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted May 8, 2008 Share Posted May 8, 2008 <?php $query = sprintf("SELECT * FROM myTable WHERE c1 = '%s'",mysql_real_escape_string($_POST['c1']); $sql = mysql_query($query); ?> for every %s it makes a new function spot in the sprintf function. there is more than just %s, http://php.net/sprintf Quote Link to comment Share on other sites More sharing options...
Fadion Posted May 8, 2008 Share Posted May 8, 2008 This guy must be pretty new to php and mysql, so the above post should be confusing. Just use mysql_real_escape_string() when inserting a variable into the database and stripslashes() when retrieving it, to remove the added slashes (escaped characters). Quote Link to comment Share on other sites More sharing options...
tmyonline Posted May 8, 2008 Author Share Posted May 8, 2008 Thank you all. Your help is very helpful. Things are working now. Many thanks again. Quote Link to comment Share on other sites More sharing options...
discomatt Posted May 8, 2008 Share Posted May 8, 2008 This guy must be pretty new to php and mysql, so the above post should be confusing. Just use mysql_real_escape_string() when inserting a variable into the database and stripslashes() when retrieving it, to remove the added slashes (escaped characters). With mysql_real_escape_string there should be no slashes to remove on returned data. If magic_quotes is turned on, though, there will be. I like to use a modified mysql_real_escape_string... it's nice not having to type out that stupidly long function name anyways function mysql_sanitize ( $input ) { # Check if already escaped if (get_magic_quotes_gpc()) # Remove useless escapes $input = stripslashes($value); # Check for integer if ( !is_numeric($value) ) # Not a number -> Sanitize $input = mysql_real_escape_string($input); return $value; } Then just call $query = 'SELECT `row` FROM `table` WHERE `c1` = \'' . mysql_sanitize($_POST['c1']) . '\''; Also note, you shouldn't have to escape anything you are hashing. Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 8, 2008 Share Posted May 8, 2008 I like to use a modified mysql_real_escape_string... it's nice not having to type out that stupidly long function name anyways Just curious, what's the purpose of checking for a numeric value? mysql_real_escape_string() won't do anything to a number anyway, does it? Quote Link to comment Share on other sites More sharing options...
psychowolvesbane Posted May 8, 2008 Share Posted May 8, 2008 I like to use a modified mysql_real_escape_string... it's nice not having to type out that stupidly long function name anyways Just curious, what's the purpose of checking for a numeric value? mysql_real_escape_string() won't do anything to a number anyway, does it? Perhaps he just uses it on all his inputs just in case. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.