Jump to content

Database Values with ' (apostrophes) breaking code


Failing_Solutions

Recommended Posts

onlinegamekey. com/MTGT-Auction.php is the page I'm working on.

 

The problem I'm having is cards with an apostrophe in the name breaks the operation.

 

I am populating the Select Box with the Card Names and those are coming in fine, its not until I try to use the select value to get that specific card data do I have an issue.

This query specifically

$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name ='$cards' Order By Price_Per") or die;

 

I've tried

$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name =" . htmlspecialchars($cards) . " Order By Price_Per") or die;

but then I get no data for any card.

 

Here is the page code I'm working with.

 

<?php
$cards = $_POST['cards'];
//SELECTING DATA FOR THE DROPDOWN
$sql = "Select Card_Name From auctions Group BY Card_Name ASC" or die;
$result = mysql_query($sql);
?>
<script type="text/javascript">
<!--
var optList;
var optsValue = new Array();
var optsText = new Array();
//when the page loads get the original options values and text and store them in arrays
window.onload = function() {
optList = document.getElementsByTagName("option");
for(var i=0; i<optList.length; i++) {
     optsValue[i] = optList[i].value;
     optsText[i] = optList[i].text.toLowerCase();    
}    
}
function searchSel(txtSearch) {
//clear all the current options
document.getElementById("items").options.length = 0;
var count = 0;
for(var i=0; i < optsValue.length; i=i+1) {
    if(optsText[i].indexOf(txtSearch.toLowerCase()) == 0) {  //match found
         //add this option to the select list options
         var newOpt = new Option(optsValue[i],optsText[i],false,false);
         document.getElementById("items").options[count] = newOpt;
         count = count+1;
    }
    }
}
function reload(form)
{
var f1 = document.forms['f1']
var val=f1.cards.options[f1.cards.options.selectedIndex].value; 
self.location='MTGT-Auction.php?card=' + val ;
}
//-->
</script>
<style type="text/css">
body {
background-color:#000000;
}
.row-one {
    background-color: #666666;
    font-family: Arial, Helvetica, sans-serif;
font-size:12px;
font-weight: bold;
    line-height: 17px;
    color:#CCFF33;
}
.row-two {
    background-color: #333333;
    font-family: Arial, Helvetica, sans-serif;
font-size:12px;
font-weight: bold;
    line-height: 17px;
    color: #FF0;
}
.th {
background-color:#000000;
font-family:Arial, Helvetica, sans-serif;
font-size:14px;
font-weight:bold;
color:#CC0000;
padding: 2;
}
</style>
<!-- CREATE FORM & SELECT BOX -->
<form method="post" name="f1" action="MTGT-Auction.php">
    <select name="cards" id="items">
    <option value='0'>Select...</option>
    <?php while ($row=mysql_fetch_array($result)) {
	if ($row['Card_Name']==@$cards) {
		echo "<option selected value='$row[Card_Name]'>$row[Card_Name]</option>";
	} else {
		echo "<option value='$row[Card_Name]'>$row[Card_Name]</option>";
	}
}
		 ?>
    </select>
    <br />
     <input type="text" id="txt" value="Card Name?" onfocus="this.value==this.defaultValue?this.value='' :null" onkeyup="searchSel(this.value);" style="color:#000000; font:Arial; font-size:12px; background-color:#e1e1e1;" />
     <BR />
		<input type="submit" value="Submit" name="submit" />
                        <input type=button onClick="location.href='MTGT-Auction.php'" value='Reset' />
            </form>
            <!-- CREATE TABLE WHERE DATA GOES -->
<table border="1" bordercolor="#000000">
<tr align="center">
<th class="th">Auction ID</th>
<th class="th">Card Name</th>
<th class="th">Cards Per Auction</th>
<th class="th">Auction Price</th>
<th class="th">Cost Per Card</th>
<th class="th">Date Listed</th>
<th class="th">Seller Name</th>
</tr>
<?php
//GET DATA FOR TABLE BASED ON SELECTED CARD & LOOP THROUGH
$quer2=mysql_query("SELECT * FROM auctions WHERE Card_Name ='$cards' Order By Price_Per") or die;
$i =1;
WHILE($row = mysql_fetch_array($quer2)) { 
if ($i%2 !=0)
$rowColor = "class='row-one'";
else
$rowColor = "class='row-two'";
echo "<tr $rowColor>" . "<td>" . $row[Auction_ID] . "</td><td>" . $row[Card_Name] . "</td><td>" . $row[Qty_Listed] . "</td><td>" . $row[Price] . "</td><td>" . $row[Price_Per] . "</td><td>" . $row[Date] . "</td><td>" . $row[seller] . "</td></tr>";
$i++;
}
//}
?>
<?php
//QUICK CHECK IS OUR VARIABLE SET???
echo "<font color=\"#FFFFFF\">". $cards . "</font>";
?>
</table>

 

I image this is probably a very common problem & easy fix that has been answered many times, but I haven't found any thing that worked for me so any help.. or links to similar issues would really be appreciated.

 

Thank you,

Link to comment
Share on other sites

Wow, just re-looking at my post I took a guess

 

I was using ' in my Select box option values just changed them to \" and that fixed the issue...

Yep that's what mysql_real_escape_string does.  You should be calling that on any data that comes near your database.

 

As in when the data is written to the database? Or coming from it? Or both?

 

Right now I'm uploading data via phpMyAdmin but do plan on having the site parse flat dump files.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.