Please help with special characters

[lingo5]

Hi,

I'm trying to update my database with this query:

 

$id_categoria=$_POST["id_categoria"];
$id_subcategoria=$_POST["id_subcategoria"];
$articulo_tit=$_POST["articulo_tit"];
$articulo_descripcion=$_POST["articulo_descripcion"];
$articulo_novedad=$_POST["articulo_novedad"];
$articulo_visible=$_POST["articulo_visible"];
$articulo_oferta=$_POST["articulo_oferta"];

$Sql="UPDATE t_articulos SET  id_categoria='$id_categoria',id_subcategoria='$id_subcategoria',articulo_tit='$articulo_tit',articulo_descripcion='$articulo_descripcion',articulo_novedad='$articulo_novedad',articulo_visible='$articulo_visible',articulo_oferta='$articulo_oferta',articulo_imagen='$filePath' WHERE id_articulo='$colname_productos'";

mysql_query($Sql) or die('Error, query failed : ' . mysql_error()); 

the problem is I get an error when there are spacia characters in the entered text such apostrophes etc.

Any suggestions?

thanks

[TOA]

mysql_real_escape_string

 

But note that the normal mysql functions are deprecated and you should switch to the mysqli extension.

[lingo5]

Thanks Devil's, how would I use mysql_real_escape_string in my query?, also what d'you mean by deprecated function?...sorry but still trying to learn.

[TOA]

For each of these

 

$id_categoria=$_POST["id_categoria"];
$id_subcategoria=$_POST["id_subcategoria"];
$articulo_tit=$_POST["articulo_tit"];
$articulo_descripcion=$_POST["articulo_descripcion"];
$articulo_novedad=$_POST["articulo_novedad"];
$articulo_visible=$_POST["articulo_visible"];
$articulo_oferta=$_POST["articulo_oferta"];

it would be

$id_categoria=mysql_real_escape_string($_POST["id_categoria"]);
[...]

Then just use the variables as you normally would.

 

Deprecated means they will stop supporting it soon so you should switch to the mysqli group of functions. Here's a link to get you started: mysqli.

Edited April 5, 2013 by TOA

[lingo5]

ah ok ...thanks a lot for your help !!!!!

[TOA]

[Christian F.]

Actually, I wouldn't use output escaping there. That's where I'd validate the input, to make sure it conforms to the expected formats.

 

Only when sending the data to the SQL (query) would I escape it, to prevent both SQL injections and mangling the content when sent to other systems (like the browser, in case of validation errors).

The result would look something like this, in pseudo-code:

if (submitted) {
    $errors = array ()
    $name = validate ('name', POST['name']));
    $email = validate ('email', POST['email']));
    // And so forth.

    if (!empty ($errors)) {
        // Show validation errors and repopulated form.
        return;
    }

    // Now we escape output for SQL.
    $query = "UPDATE TABLE SET field_1 = '%s', field_2 = %d, field_3= '%s";
    $query = sprintf ($query, mres ($name), $zip, mres ($email));

    // And the rest.
}

The reason I use sprintf here is to avoid having (too many) function calls in the middle of a string, which would make the actual SQL query a lot harder to read than necessary.

[TOA]

Actually, I wouldn't use output escaping there. That's where I'd validate the input, to make sure it conforms to the expected formats.

 

Only when sending the data to the SQL (query) would I escape it, to prevent both SQL injections and mangling the content when sent to other systems (like the browser, in case of validation errors).

 

Valid point. Since there was nothing in between the variable declarations and the actual query, I failed to notice the need for that comment. But very worth pointing out. Good catch.