jbis2k Posted May 30, 2011 Share Posted May 30, 2011 Good morning to all: I began using PHP, well, yesterday. I invested 8 hrs searching via Google and found many good samples to use as a test bed. I learned that one of the problems to exist with PHP is the apostrophe. I have setup a test form at www.datasafe.biz/WA for anyone who may wish to help me with this. The problem, as you may have guessed, is with the use of the " ' " in any field period. For my test purposes, I entered a comment in the notes field and input an apostrophe. I submitted my form to a php script which looks as follows: <?php // Insert cleaning code here function cleanQuery($string) { $newstring = mysql_real_escape_string($string); return $newstring; } $con = mysql_connect($host,$username,$password); //Using preset variables if (!$con) { die('Could not connect: ' . mysql_error()); } // connect to database code @mysql_select_db($database,$con) or die("Unable to select database"); //Check if field set and then clean it if (isset($_POST['BuyerSeller'])) $BuyerSeller = cleanQuery($_POST['BuyerSeller']); if (isset($_POST['Make'])) $Make = cleanQuery($_POST['Make']); if (isset($_POST['Model'])) $Model = cleanQuery($_POST['Model']); if (isset($_POST['Year'])) $Year = cleanQuery($_POST['Year']); if (isset($_POST['MinPrice'])) $MinPrice = cleanQuery($_POST['MinPrice']); if (isset($_POST['MaxPrice'])) $MaxPrice = cleanQuery($_POST['MaxPrice']); if (isset($_POST['POC'])) $POC = cleanQuery($_POST['POC']); if (isset($_POST['POCPhone'])) $POCPhone = cleanQuery($_POST['POCPhone']); if (isset($_POST['POCEmail'])) $POCEmail = cleanQuery($_POST['POCEmail']); if (isset($_POST['Notes'])) $Notes = cleanQuery($_POST['Notes']); // End cleaning code here //Get ready to query and insert into database table $sql="INSERT INTO Autos (DateCreated,Make,Model,Year,MinPrice,MaxPrice,POC,POCPhone,POCEmail,BuyerSeller,Notes) VALUES (curdate(),'$_POST[Make]','$_POST[Model]','$_POST[Year]','$_POST[MinPrice]','$_POST[MaxPrice]','$_POST[POC]','$_POST[POCPhone]','$_POST[POCEmail]','$_POST[buyerSeller]','$_POST[Notes]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con); ?> This code I found at various places on the net via Google. It works mostly except for when the, you know, is used. I tried other suggestions posted by others who had a similar problem, all to no avail. This is what is returned as an error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't it?')' at line 1 Quote Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/ Share on other sites More sharing options...
PFMaBiSmAd Posted May 30, 2011 Share Posted May 30, 2011 The variables you are assigning the form data to in your code ($BuyerSeller, $Make, ...) are not the variables you are putting into the query statement. You are putting the original $_POST variables into the query statement. Quote Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/#findComment-1222431 Share on other sites More sharing options...
jbis2k Posted May 30, 2011 Author Share Posted May 30, 2011 Yes!! Thank you for the prompt reply of earlier today btw. I got so busy trying to solve this issue that I did not log into my account here until just now. I figured out only twenty minutes ago exactly what you just told me here. Cheers! Quote Link to comment https://forums.phpfreaks.com/topic/237890-new-php-user-with-php-problems/#findComment-1222645 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.