overlordofevil Posted March 5, 2010 Share Posted March 5, 2010 Hey all, I have a question and its probably a really simple thing to figure out but i am drawing a blank on how to do it. Basically I am trying to use single quotes or special characters when inputting data into my db but i have errors that come up. with the single quotes if I put in a name like de'salla or I use it in a contraction like it's, her's etc it will store in my db but when I try to use the data in another string or query I always get an error with php where it breaks on the single quote and won't continue to process the request. So I have 2 variables $name = De'salla; $reason = "Update for user $name"; When I go to insert the value Reason the query will error out becasue the $name value has a single quote in it. This is the basic issues and I know you might need more info but I am wondering is there a php function out that that i can use to correct this issue. Thanks Bill Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/ Share on other sites More sharing options...
MatthewJ Posted March 5, 2010 Share Posted March 5, 2010 mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022018 Share on other sites More sharing options...
schilly Posted March 5, 2010 Share Posted March 5, 2010 any strings you input into a database need to be escaped. meaning quotes and special characters get formatted to db friendly values (ie. " or ' goes to \" and \'). This is so: -your code doesn't break -people don't try to inject into your database (search form injection for an example). here is what i do for all my queries: $sql = sprintf("INSERT INTO table (string_a,string_b) VALUES ('%s','%s','%s','%s')", mysql_real_escape_string($string), mysql_real_escape_string($string)); use sprintf to insert strings, ints, decimals etc to your sql string. use mysql_real_escape_string on strings to escape any special characters. Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022020 Share on other sites More sharing options...
overlordofevil Posted March 5, 2010 Author Share Posted March 5, 2010 cool sounds simple enough. so with the characters being escaped to make them db friendly if I do a query to call the same values and echo them on the screen will they display correctly or will i have the backslash in it.. I appreciate you guys explaining this to me just got confused on it. Thanks again Bill Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022038 Share on other sites More sharing options...
schilly Posted March 5, 2010 Share Posted March 5, 2010 you should be fine when you output the data. make sure to test though. Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022066 Share on other sites More sharing options...
MatthewJ Posted March 5, 2010 Share Posted March 5, 2010 mysql_real_escape_string() only puts the escape character in during insert... if you view the data stored, it will not contain the escape characters. Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022070 Share on other sites More sharing options...
overlordofevil Posted March 5, 2010 Author Share Posted March 5, 2010 Thank you both for the feedback and help.. I used the code example to help modify my code and it made things work with no issues. Just one other question.. do special characters like & or % get taken care of by this function or is there another one i need to use. Thanks Bill Link to comment https://forums.phpfreaks.com/topic/194272-single-quote-and-special-character-question/#findComment-1022104 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.