ryanwood4 Posted November 23, 2009 Share Posted November 23, 2009 Hi, I am using a form to submit articles to a database, but when I add an apostrophe (') in the title it doesn't add the data, however without an apostrophe it does. This is the code im using: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database $insert = "INSERT INTO members (title,body,image,category,date) VALUES ('$_POST[title]','$_POST[body]','$_POST[image]','$_POST[category]','$date')"; $add_member = mysql_query($insert); ?> <p>Congrats!</p> <?php } else { ?> How can I get around this problem? I heard about this: mysql_real_escape_string - but have no idea how to implement it in the code. Would really appreciate some help. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/ Share on other sites More sharing options...
trq Posted November 23, 2009 Share Posted November 23, 2009 You need to validate and escape all data before using it within a database query. Escaping can be done with mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963561 Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 How do I do this? Im new to PHP (learning slowly) and only discovered this 'mysql_real_escape_string()' today. The only input which is causing problems is the 'title' input - how do I go about implementing the mysql_real_escape_string? Thanks Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963569 Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 // now we insert it into the database $insert = "INSERT INTO members (title,body,image,category,date) VALUES ('$_POST[title]','$_POST[body]','$_POST[image]','$_POST[category]','$date')"; $add_member = mysql_query($insert); something like this: $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = NOW() ", mysql_real_escape_string($_POST[title]), mysql_real_escape_string($_POST[body]), mysql_real_escape_string($_POST[image]), mysql_real_escape_string($_POST[category]), mysql_real_escape_string($date]) ); Edit: if you wants to add current date you can do with date = NOW(), Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963573 Share on other sites More sharing options...
trq Posted November 23, 2009 Share Posted November 23, 2009 That should be.... $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963577 Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 That's not adding anything to the database now, even without apostrophe's. Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963584 Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 can you post your code now you edited and tried Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963585 Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 This is the new code, which didn't work though. <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); ?> <p>Congrats!</p> <?php } else { ?> Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963587 Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 are you missing something $add_member = mysql_query($insert); and change this: insert = sprintf("INSERT INTO members set to this: $insert = sprintf("INSERT INTO members set $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST[title]), mysql_real_escape_string($_POST[body]), mysql_real_escape_string($_POST[image]), mysql_real_escape_string($_POST[category]), mysql_real_escape_string($date]) ); Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963588 Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 Nope, that's not working either: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); $add_member = mysql_query($insert); ?> <p>Article posted</p> <?php } else { ?> Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963594 Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 Try this: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category']), mysql_real_escape_string($date]) ); $add_member = mysql_query($insert) or die(mysql_error()); ?> <p>Article posted</p> <?php } else { ?> Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963597 Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 Nope, nothing is displaying on the page now. This is a harder to solve problem than I thought. Link to comment https://forums.phpfreaks.com/topic/182560-getting-around-apostrophe-problem-in-forms-help-please/#findComment-963600 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.