Database Values with ' (apostrophes) breaking code

[Failing_Solutions]

onlinegamekey. com/MTGT-Auction.php is the page I'm working on.

 

The problem I'm having is cards with an apostrophe in the name breaks the operation.

 

I am populating the Select Box with the Card Names and those are coming in fine, its not until I try to use the select value to get that specific card data do I have an issue.

This query specifically

$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name ='$cards' Order By Price_Per") or die;

 

I've tried

$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name =" . htmlspecialchars($cards) . " Order By Price_Per") or die;

but then I get no data for any card.

 

Here is the page code I'm working with.

 

<?php
$cards = $_POST['cards'];
//SELECTING DATA FOR THE DROPDOWN
$sql = "Select Card_Name From auctions Group BY Card_Name ASC" or die;
$result = mysql_query($sql);
?>
<script type="text/javascript">
<!--
var optList;
var optsValue = new Array();
var optsText = new Array();
//when the page loads get the original options values and text and store them in arrays
window.onload = function() {
optList = document.getElementsByTagName("option");
for(var i=0; i<optList.length; i++) {
     optsValue[i] = optList[i].value;
     optsText[i] = optList[i].text.toLowerCase();    
}    
}
function searchSel(txtSearch) {
//clear all the current options
document.getElementById("items").options.length = 0;
var count = 0;
for(var i=0; i < optsValue.length; i=i+1) {
    if(optsText[i].indexOf(txtSearch.toLowerCase()) == 0) {  //match found
         //add this option to the select list options
         var newOpt = new Option(optsValue[i],optsText[i],false,false);
         document.getElementById("items").options[count] = newOpt;
         count = count+1;
    }
    }
}
function reload(form)
{
var f1 = document.forms['f1']
var val=f1.cards.options[f1.cards.options.selectedIndex].value; 
self.location='MTGT-Auction.php?card=' + val ;
}
//-->
</script>
<style type="text/css">
body {
background-color:#000000;
}
.row-one {
    background-color: #666666;
    font-family: Arial, Helvetica, sans-serif;
font-size:12px;
font-weight: bold;
    line-height: 17px;
    color:#CCFF33;
}
.row-two {
    background-color: #333333;
    font-family: Arial, Helvetica, sans-serif;
font-size:12px;
font-weight: bold;
    line-height: 17px;
    color: #FF0;
}
.th {
background-color:#000000;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
font-weight:bold;
color:#CC0000;
padding: 2;
}
</style>
<!-- CREATE FORM & SELECT BOX -->
<form method="post" name="f1" action="MTGT-Auction.php">
    <select name="cards" id="items">
    <option value='0'>Select...</option>
    <?php while ($row=mysql_fetch_array($result)) {
	if ($row['Card_Name']==@$cards) {
		echo "<option selected value='$row[Card_Name]'>$row[Card_Name]</option>";
	} else {
		echo "<option value='$row[Card_Name]'>$row[Card_Name]</option>";
	}
}
		 ?>
    </select>
    <br />
     <input type="text" id="txt" value="Card Name?" onfocus="this.value==this.defaultValue?this.value='' :null" onkeyup="searchSel(this.value);" style="color:#000000; font:Arial; font-size:12px; background-color:#e1e1e1;" />
     <BR />
		<input type="submit" value="Submit" name="submit" />
                        <input type=button onClick="location.href='MTGT-Auction.php'" value='Reset' />
            </form>
            <!-- CREATE TABLE WHERE DATA GOES -->
<table border="1" bordercolor="#000000">
<tr align="center">
<th class="th">Auction ID</th>
<th class="th">Card Name</th>
<th class="th">Cards Per Auction</th>
<th class="th">Auction Price</th>
<th class="th">Cost Per Card</th>
<th class="th">Date Listed</th>
<th class="th">Seller Name</th>
</tr>
<?php
//GET DATA FOR TABLE BASED ON SELECTED CARD & LOOP THROUGH
$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name ='$cards' Order By Price_Per") or die;
$i =1;
WHILE($row = mysql_fetch_array($quer2)) { 
if ($i%2 !=0)
$rowColor = "class='row-one'";
else
$rowColor = "class='row-two'";
echo "<tr $rowColor>" . "<td>" . $row[Auction_ID] . "</td><td>" . $row[Card_Name] . "</td><td>" . $row[Qty_Listed] . "</td><td>" . $row[Price] . "</td><td>" . $row[Price_Per] . "</td><td>" . $row[Date] . "</td><td>" . $row[seller] . "</td></tr>";
$i++;
}
//}
?>
<?php
//QUICK CHECK IS OUR VARIABLE SET???
echo "<font color=\"#FFFFFF\">". $cards . "</font>";
?>
</table>

 

I image this is probably a very common problem & easy fix that has been answered many times, but I haven't found any thing that worked for me so any help.. or links to similar issues would really be appreciated.

 

Thank you,

[Maq]

$cards = mysql_real_escape_string($_POST['cards']);

[Failing_Solutions]

Wow, just re-looking at my post I took a guess

 

I was using ' in my Select box option values just changed them to \" and that fixed the issue...

 

 

[Maq]

Wow, just re-looking at my post I took a guess

 

I was using ' in my Select box option values just changed them to \" and that fixed the issue...

Yep that's what mysql_real_escape_string does.  You should be calling that on any data that comes near your database.

[Failing_Solutions]

Wow, just re-looking at my post I took a guess

 

I was using ' in my Select box option values just changed them to \" and that fixed the issue...

Yep that's what mysql_real_escape_string does.  You should be calling that on any data that comes near your database.

 

As in when the data is written to the database? Or coming from it? Or both?

 

Right now I'm uploading data via phpMyAdmin but do plan on having the site parse flat dump files.