Insert single quotes from text area

[Call-911]

Hello all.

 

I have a textarea on a form that users are posting new's stories into. Most are just copy/pasteing from Word, and they need to be able to include single quotes.

(ie: John's favorite store is Micky's)

 

I can't figure out how to make the single quotes (') into double quotes ('') so MSSQL will insert them in.

 

Any help? Here's my process code:

 

<?php
$title = $_POST['title'];
$district = $_POST['district'];
$central = $_POST['central'];
$east = $_POST['east'];
$north = $_POST['north'];
$west = $_POST['west'];
$story = $_POST['story'];
$date = date("l, M j, Y");
$sqlpicturename = "$picturename.jpg";
$showpicture = $_POST['showpicture'];




//declare the SQL statement that will query the database
$query = 
"
INSERT INTO News (district, central, east, north, west, date, title, story, picture, 

showpicture, show)

Values ('$district' , '$central', '$east' , '$north', '$west' , '$date', '$title' , 

'$story', '$sqlpicturename' , '$showpicture' , 'true')

";

//execute the SQL query and return records
$result = mssql_query($query);



//display the results 

echo "Thank You For Posting Your Story:<b> $title </b><br /><br /><a 

href='addstory.php'>Click Here To Add Another Story</a><br /><br /><a href='index.php'>Click 

Here To Go Back To The WebEdit Menu</a>";
echo "<br /><br />";

mssql_close();

?>

[Valakai]

Wrap your variables with addslashes(), which will escape the quotes and allow MSSQL to store them.

[Pikachu2000]

Single quotes aren't escaped with a slash in MSSQL, they're escaped with another single quote.

[Valakai]

Whoops thats MySQL. 

[Call-911]

So what do I do?

[Pikachu2000]

You still wouldn't use addslashes(), you'd use mysql_real_escape_string()/mysqli_real_escape_string().

[Call-911]

Except this is MS SQL, not mySQL

 

:-)

[Valakai]

Well one solution would be to use str_replace like this

 

$text = str_replace('\'', '\'\'', $text)

 

Though I doubt that would be a foolproof solution.

 

--

 

Gah, need to sleep soon, making too many mistakes.

[Pikachu2000]

Except this is MS SQL, not mySQL

 

:-)

 

We posted at the same time. The post re: using mysql_real_escape_string() was to dispel any confusion about addslashes.

[Call-911]

Well one solution would be to use str_replace like this

 

$text = str_replace('\'', '\'\'', $text)

 

Though I doubt that would be a foolproof solution.

 

--

 

Gah, need to sleep soon, making too many mistakes.

 

 

THAT WAS IT! :-)

[Pikachu2000]

Since single quotes are escaped with another single quote, not escaped with slashes, or changed to a double quote, you can use str_replace to handle it. You should make sure magic_quotes_gpc() is off, or at least test for it, and if it's on run the data through stripslashes(). This can be wrapped into a function, if you want.

 

$data = "That isn't Dave's beach ball, it's Joe's."; // Test string
if( get_magic_quotes_gpc() ) {
$esc_data = str_replace("'", "''", stripslashes($data));
} else {
$esc_data = str_replace("'", "''", $data);
}
echo "<br>Before: $data<br>After: $esc_data"; // Demo results.