NathanS Posted March 10, 2008 Share Posted March 10, 2008 Hi there, I'm having issues where people are inserting last names such as "O'Connor" and it's not writing to the database correctly: $sql = "INSERT INTO customerav (TITLE, LNAME, PCODE) VALUES ('".$_POST["TITLE"]."', '.$_POST["LNAME"]."', '".$_POST["PCODE"]."')"; How would I best go about removing the apostrophe? Cheers. Quote Link to comment Share on other sites More sharing options...
uniflare Posted March 10, 2008 Share Posted March 10, 2008 this is known as mysql injection... wrap all your $_POST[] variables in mysql_escape_string() eg: $sql = "INSERT INTO customerav (TITLE, LNAME, PCODE) VALUES ('".mysql_escape_string($_POST["TITLE"])."', '.mysql_escape_string($_POST["LNAME"])."', '".mysql_escape_string($_POST["PCODE"])."')"; -- make sure you are connected to the db before using any mysql_escape_string functions Quote Link to comment Share on other sites More sharing options...
NathanS Posted March 10, 2008 Author Share Posted March 10, 2008 '".mysql_escape_string($_POST["LNAME"])." Many thanks for your quick reply! Using the above writes, however it still writes O\\\ to the database, as opposed to O'Connor - any ideas? Thanks again! Quote Link to comment Share on other sites More sharing options...
trq Posted March 10, 2008 Share Posted March 10, 2008 Would seem you have magic_quotes_gpc enabled. You will also need to use strip_slashes on your data prior to mysql-real_escape_string(). Quote Link to comment Share on other sites More sharing options...
NathanS Posted March 10, 2008 Author Share Posted March 10, 2008 I see Excuse my utter ignorance, but in what format would I need to be using stripslashes prior to mysql_real_escape_string() ? Sorry, very new still! Quote Link to comment Share on other sites More sharing options...
NathanS Posted March 10, 2008 Author Share Posted March 10, 2008 I turned magic_quotes off, yet it still does the same thing.. ??? Quote Link to comment Share on other sites More sharing options...
uniflare Posted March 10, 2008 Share Posted March 10, 2008 Echo the query variable usit exit(); immediately before the mysql_query call, once without the mysql_escape_string and one with, tell us the output of these two results Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.