[SOLVED] apostrophe causes SQL error with database insert

[webguync]

I am developing a form, where people login and fill out some checkboxes. The name and checkbox info is inserted into a MySQL DB. If someone has an apostrophe in their name like O'Neil, this throws and error when they submit. I believe the apostrophe is causing the error. How can I  apostrophe proof the name field?

[kenrbnsn]

You need to use the function mysql_real_escape_string() on all string values being inserted into the database.

 

Ken

[webguync]

thanks, I added the function here, but there is a syntax error somewhere. Also, can I just use the whole $insert instead of doing each field individually?

 

  $insert = "INSERT INTO $check_table (`Assessor`,`AssessorID`,`EmpName`,`EmpID`, `Blocks`,`date_uploaded`) VALUES ('$Assessor','$Assessor_ID','$name','$emp_id', '$blocks', '$now')";
  mysql_query($insert) or die(mysql_error()),
  mysql_real_escape_string($Assessor),
  mysql_real_escape_string($Assessor_ID));

[kenrbnsn]

You need to use it on the variables being inserted:

<?php
$insert = "INSERT INTO $check_table (`Assessor`,`AssessorID`,`EmpName`,`EmpID`, `Blocks`,`date_uploaded`) VALUES ('" . mysql_real_escape_string($Assessor) . "','" . mysql_real_escape_string($Assessor_ID) . "','" . mysql_real_escape_string($name) . "','" . mysql_real_escape_string($emp_id) . "', '" . mysql_real_escape_string($blocks) . "', '" . mysql_real_escape_string($now) . "')";
$ rs = mysql_query($insert) or die("Problem with the query: $insert<br>" . mysql_error());
?>

 

Ken

[waynew]

Ken's right. Anything that goes into your DB should be first cleaned-up with that function mysql_real_escape_string(). Otherwise errors will be the last thing you'll have to worry about.

[webguync]

ok. I gotcha. I tested with some data including commas and everything seems to work now. thanks!