ryanwood4 Posted November 23, 2009 Share Posted November 23, 2009 Hi, I am using a form to submit articles to a database, but when I add an apostrophe (') in the title it doesn't add the data, however without an apostrophe it does. This is the code im using: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database $insert = "INSERT INTO members (title,body,image,category,date) VALUES ('$_POST[title]','$_POST[body]','$_POST[image]','$_POST[category]','$date')"; $add_member = mysql_query($insert); ?> <p>Congrats!</p> <?php } else { ?> How can I get around this problem? I heard about this: mysql_real_escape_string - but have no idea how to implement it in the code. Would really appreciate some help. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
trq Posted November 23, 2009 Share Posted November 23, 2009 You need to validate and escape all data before using it within a database query. Escaping can be done with mysql_real_escape_string. Quote Link to comment Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 How do I do this? Im new to PHP (learning slowly) and only discovered this 'mysql_real_escape_string()' today. The only input which is causing problems is the 'title' input - how do I go about implementing the mysql_real_escape_string? Thanks Quote Link to comment Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 // now we insert it into the database $insert = "INSERT INTO members (title,body,image,category,date) VALUES ('$_POST[title]','$_POST[body]','$_POST[image]','$_POST[category]','$date')"; $add_member = mysql_query($insert); something like this: $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = NOW() ", mysql_real_escape_string($_POST[title]), mysql_real_escape_string($_POST[body]), mysql_real_escape_string($_POST[image]), mysql_real_escape_string($_POST[category]), mysql_real_escape_string($date]) ); Edit: if you wants to add current date you can do with date = NOW(), Quote Link to comment Share on other sites More sharing options...
trq Posted November 23, 2009 Share Posted November 23, 2009 That should be.... $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); Quote Link to comment Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 That's not adding anything to the database now, even without apostrophe's. Quote Link to comment Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 can you post your code now you edited and tried Quote Link to comment Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 This is the new code, which didn't work though. <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); ?> <p>Congrats!</p> <?php } else { ?> Quote Link to comment Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 are you missing something $add_member = mysql_query($insert); and change this: insert = sprintf("INSERT INTO members set to this: $insert = sprintf("INSERT INTO members set $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST[title]), mysql_real_escape_string($_POST[body]), mysql_real_escape_string($_POST[image]), mysql_real_escape_string($_POST[category]), mysql_real_escape_string($date]) ); Quote Link to comment Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 Nope, that's not working either: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); // now we insert it into the database $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category'])); $add_member = mysql_query($insert); ?> <p>Article posted</p> <?php } else { ?> Quote Link to comment Share on other sites More sharing options...
mraza Posted November 23, 2009 Share Posted November 23, 2009 Try this: <?php // Connects to your Database mysql_connect("localhost","xxxx","xxxx") or die(mysql_error()); //CHANGE ME BACK!!!!! mysql_select_db("xxxx") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { $date = date("y-m-d H:i:s"); $insert = sprintf("INSERT INTO members set title = '%s' , body = '%s', image = '%s', category = '%s', date = '%s' ", mysql_real_escape_string($_POST['title']), mysql_real_escape_string($_POST['body']), mysql_real_escape_string($_POST['image']), mysql_real_escape_string($_POST['category']), mysql_real_escape_string($date]) ); $add_member = mysql_query($insert) or die(mysql_error()); ?> <p>Article posted</p> <?php } else { ?> Quote Link to comment Share on other sites More sharing options...
ryanwood4 Posted November 23, 2009 Author Share Posted November 23, 2009 Nope, nothing is displaying on the page now. This is a harder to solve problem than I thought. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.