barney0o0 — 2012-02-28T15:25:10-05:00 — #1
I don't know what im doing wrong here..
Very simple form is adding slashes to special characters in the db i.e. that\'s entertainment
$ttitle = mysql_real_escape_string($_POST['ttitle']);
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']);
$query = "INSERT INTO test ( ttitle, ttitle2) ".
"VALUES ('$ttitle', '$ttitle2' )";
mysql_query($query) or die('Error, query failed : ' . mysql_error());
echo "<br>File uploaded<br>";
PHP.ini file: (ver 5.2.17)
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
chris_upjohn — 2012-02-28T15:35:37-05:00 — #2
The mysql_real_escape_string function is the reason why, when inserting data into a database you should always escape anything that can disrupt the MySQL query including single quotes which would break you query because your wrapping the row value in single quotes.
Sent from my iPhone using Tapatalk
barney0o0 — 2012-02-28T16:37:18-05:00 — #3
sorry, im a bit tired and things just go straight over my head...:) what should have i done?
Thanks in advance
chris_upjohn — 2012-02-28T16:59:06-05:00 — #4
Sorry it's hard to explain things when I'm on my iPhone, basically if you look at the following example you will see the issue straight away when using single quotes to wrap your data.
$query = "INSERT INTO test (name, bio) VALUES ('Chris', '<font color='#ff0000'>I'm</font> Chris and <font color='#ff0000'>I'm</font> a 20 year old web developer from Melbourne Australia')";
As you can see I've highlighted the problems in red which are un-escaped quotes which would cause a MySQL error, however when using the mysql_real_escape_string() function this is avoided because it knows to automatically escape anything that we don't. When retrieving data from your database you can simply use the stripslashes() function would removes the backslash from the single quotes etc...
barney0o0 — 2012-02-29T04:06:42-05:00 — #5
Cheers, but im still a little confused
Ive had a look at some of my old database tables and, although ive used mysql_real_escape_string, there aren't any \' in the tables.... similary, ive looked around, and isnt it true that its just escapes the string thats being inserted...and shouldnt actually be entered into the database?
Sorry, i didnt want this to be along thread...i just want to clarify before i run stripslashes() on data pulled from the database