apostrophe issues

[galvin]

I have insert code like this...

$sql="INSERT into players (lastname, firstname) VALUES ('" . mysql_prep($_POST['lastname']) . "', '" . mysql_prep($_POST['firstname']) . "')"; 

 

If I have first name like "Da'Rel", the insert goes through, but it only puts "Da" in the firstname field. 

 

Here is my mysql_prep code...

 

	function mysql_prep($value) {
	$magic_quotes_active = get_magic_quotes_gpc();
	$new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0
	if($new_enough_php) { //PHP v4.3.0 or higher
		//undo any magic quote effects so mysql_real_escape_string can do the work
		if($magic_quotes_active) { $value = stripslashes($value) ;}
		$value = mysql_real_escape_string($value);
	} else { //before php v4.3.0
		// if magic quotes aren;t already on then add slashes manually
		if(!magic_quotes_active) { $value = addslashes($value); }
		// if magic quotes are active, then the slashes already exist
	}
	return $value;
}

 

Any idea what I need to alter in order to let single quotes go into the field (i.e. so that the full name "Da'Rel" gets inserted")?

 

[Jessica]

Read about mysqli/PDO

[PFMaBiSmAd]

The HTML of your form is being broken by the single-quote and/or you don't have any quotes around a value="..." attribute in your form. What is the code where is this data being submitted from and where you are displaying it after retrieving it from the database table?

[Jessica]

The HTML of your form is being broken by the single-quote and/or you don't have any quotes around a value="..." attribute in your form. What is the code where is this data being submitted from and where you are displaying it after retrieving it from the database table?

What did you read to come to that conclusion?

[PFMaBiSmAd]

There's nothing in the posted code that has the ability to remove characters from the data and if it was somehow terminating the data field and excluding the characters after the ', those left over bare characters would either generate an sql error or would become part of the following field's data.

 

This symptom is typical of either a form that only submits data up to the first ' character in the data or of display code that only outputs up to the first ' character in the data.

[galvin]

Sorry, here is the code for the form.  now that I see it, I'm assuming the fact that I am using single quotes for the value attribute in the form is probably not good (i.e. I should use double quotes??). I'll try that now...

 

Form:

<form id="addplayer" method="post" action="insertnewplayer.php">

First Name: <input type='input' name='firstname' size='25' value='' /><br />
Last Name: <input type='input' name='lastname' size='50' value='' /><br />

<input type='submit' name='submit'  value='Submit' /><br /></form>

 

 

[galvin]

Thank you PFMaBiSmAd for asking this question... "where you are displaying it after retrieving it from the database table?".  That was the problem.  The full data WAS in the database, but that displaying page was using single quotes in the value attribute so it cut it off when displaying. 

 

Ugh, I hate the double quote/single quote dilemma (at least it's a dilemma for me )

 

Do you suggest any general theories, like maybe "Always use double quotes even though it's annoying to have to escape them"?

 

[galvin]

Or is there maybe some way to "clean" the database data before displaying it so it will display regardless of whether my value attribute has single or double quotes?

[PFMaBiSmAd]

Content that you output on a web page that might contain HTML special characters, needs to be passed through htmlentities, right before outputting it, with the second parameter set to ENT_QUOTES, so that the special HTML characters in the content won't break the HTML on the page.

 

[galvin]

Beautiful, thanks for sharing your knowledge!