ArizonaJohn Posted June 9, 2009 Share Posted June 9, 2009 Hello, The query below works if $find is just a regular word with no special characters, and it even works if $find has a "%" in it or a "&". However, it does not work if $find has an apostrophe in it. Any ideas on how I can change the code to make it work if $find has an apostrophe in it? Thanks in advance, John <? $find1 = urlencode($find); print "<form action='process.php?find=$find1' method='post'> Add site: <input name='site' type='text' size='50'> <input type='submit' value='Submit'> </form> "; ?> Then, on process.php, I have: <? $remove_array = array('http://www.', 'http://', 'www.'); $site = str_replace($remove_array, "", $_POST['site']); mysql_connect("mysqlv10", "username", "password") or die(mysql_error()); mysql_select_db("database") or die(mysql_error()); $_GET['find'] = $find; $_GET['find'] = stripslashes($_GET['find']); $find = urldecode($find); mysql_query("INSERT INTO `$find` VALUES (NULL, '$site',1,0)"); ?> Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/ Share on other sites More sharing options...
KevinM1 Posted June 9, 2009 Share Posted June 9, 2009 http://www.php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852751 Share on other sites More sharing options...
ArizonaJohn Posted June 9, 2009 Author Share Posted June 9, 2009 I tried <? $remove_array = array('http://www.', 'http://', 'www.'); $site = str_replace($remove_array, "", $_POST['site']); mysql_connect("mysqlv10", "username", "password") or die(mysql_error()); mysql_select_db("database") or die(mysql_error()); $_GET['find'] = $find; $_GET['find'] = stripslashes($_GET['find']); $find = urldecode($find); $find = mysql_real_escape_string($find); mysql_query("INSERT INTO `$find` VALUES (NULL, '$site',1,0)"); ?> And it didn't work. Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852762 Share on other sites More sharing options...
ted_chou12 Posted June 9, 2009 Share Posted June 9, 2009 first, please add the tag, all black makes it harder to spot the error second, instead of $_GET['find'] = $find; and $_GET['find'] = stripslashes($_GET['find']);, i think what u r trying to do is $find = stripslashes($_GET['find']); Ted. Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852763 Share on other sites More sharing options...
KevinM1 Posted June 9, 2009 Share Posted June 9, 2009 I tried <? $remove_array = array('http://www.', 'http://', 'www.'); $site = str_replace($remove_array, "", $_POST['site']); mysql_connect("mysqlv10", "username", "password") or die(mysql_error()); mysql_select_db("database") or die(mysql_error()); $_GET['find'] = $find; $_GET['find'] = stripslashes($_GET['find']); $find = urldecode($find); $find = mysql_real_escape_string($find); mysql_query("INSERT INTO `$find` VALUES (NULL, '$site',1,0)"); ?> And it didn't work. Sorry...I thought your problem was with $site. And, ted's right with your variable assignment problems. As an aside, rather than pass the db table name as an encoded query string, why not pass it is a hidden form field? That will remove the need to encode/decode it, as well as stop it from being immediately visible (and editable) in the user's address bar. Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852766 Share on other sites More sharing options...
ArizonaJohn Posted June 10, 2009 Author Share Posted June 10, 2009 As an aside, rather than pass the db table name as an encoded query string, why not pass it is a hidden form field? That will remove the need to encode/decode it, as well as stop it from being immediately visible (and editable) in the user's address bar. To do that, could I use the code below? [code=php:0]<? print "<form action='process.php' method='post'> Add site: <input name='site' type='text' size='50'> <input type='submit' value='Submit'> <input type='hidden' value='$find'> </form> "; ?> [/code] Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852774 Share on other sites More sharing options...
ted_chou12 Posted June 10, 2009 Share Posted June 10, 2009 As an aside, rather than pass the db table name as an encoded query string, why not pass it is a hidden form field? That will remove the need to encode/decode it, as well as stop it from being immediately visible (and editable) in the user's address bar. To do that, could I use the code below? [code=php:0]<? print "<form action='process.php' method='post'> Add site: <input name='site' type='text' size='50'> <input type='submit' value='Submit'> <input type='hidden' value='$find'> </form> "; ?> [/code] yes that would work, except, if your $find variable is undefined, then the value would be empty, so make sure you have either defined the variable $find, or input the valid straight away like <input type='hidden' value='somedata' /> ps. ignore when u r using [code=php:0], so the code shows the colors Quote Link to comment https://forums.phpfreaks.com/topic/161601-query-works-except-when-variable-has-apostrophe-in-it/#findComment-852846 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.