jbis2k Posted May 30, 2011 Share Posted May 30, 2011 Good morning to all: I began using PHP, well, yesterday. I invested 8 hrs searching via Google and found many good samples to use as a test bed. I learned that one of the problems to exist with PHP is the apostrophe. I have setup a test form at www.datasafe.biz/WA for anyone who may wish to help me with this. The problem, as you may have guessed, is with the use of the " ' " in any field period. For my test purposes, I entered a comment in the notes field and input an apostrophe. I submitted my form to a php script which looks as follows: <?php // Insert cleaning code here function cleanQuery($string) { $newstring = mysql_real_escape_string($string); return $newstring; } $con = mysql_connect($host,$username,$password); //Using preset variables if (!$con) { die('Could not connect: ' . mysql_error()); } // connect to database code @mysql_select_db($database,$con) or die("Unable to select database"); //Check if field set and then clean it if (isset($_POST['BuyerSeller'])) $BuyerSeller = cleanQuery($_POST['BuyerSeller']); if (isset($_POST['Make'])) $Make = cleanQuery($_POST['Make']); if (isset($_POST['Model'])) $Model = cleanQuery($_POST['Model']); if (isset($_POST['Year'])) $Year = cleanQuery($_POST['Year']); if (isset($_POST['MinPrice'])) $MinPrice = cleanQuery($_POST['MinPrice']); if (isset($_POST['MaxPrice'])) $MaxPrice = cleanQuery($_POST['MaxPrice']); if (isset($_POST['POC'])) $POC = cleanQuery($_POST['POC']); if (isset($_POST['POCPhone'])) $POCPhone = cleanQuery($_POST['POCPhone']); if (isset($_POST['POCEmail'])) $POCEmail = cleanQuery($_POST['POCEmail']); if (isset($_POST['Notes'])) $Notes = cleanQuery($_POST['Notes']); // End cleaning code here //Get ready to query and insert into database table $sql="INSERT INTO Autos (DateCreated,Make,Model,Year,MinPrice,MaxPrice,POC,POCPhone,POCEmail,BuyerSeller,Notes) VALUES (curdate(),'$_POST[Make]','$_POST[Model]','$_POST[Year]','$_POST[MinPrice]','$_POST[MaxPrice]','$_POST[POC]','$_POST[POCPhone]','$_POST[POCEmail]','$_POST[buyerSeller]','$_POST[Notes]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con); ?> This code I found at various places on the net via Google. It works mostly except for when the, you know, is used. I tried other suggestions posted by others who had a similar problem, all to no avail. This is what is returned as an error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't it?')' at line 1 Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/ Share on other sites More sharing options...
PFMaBiSmAd Posted May 30, 2011 Share Posted May 30, 2011 The variables you are assigning the form data to in your code ($BuyerSeller, $Make, ...) are not the variables you are putting into the query statement. You are putting the original $_POST variables into the query statement. Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/#findComment-1222431 Share on other sites More sharing options...
jbis2k Posted May 30, 2011 Author Share Posted May 30, 2011 Yes!! Thank you for the prompt reply of earlier today btw. I got so busy trying to solve this issue that I did not log into my account here until just now. I figured out only twenty minutes ago exactly what you just told me here. Cheers! Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/#findComment-1222645 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.