Form to DB - Back to basics

barney0o0 · February 28, 2012, 8:25pm

I don’t know what im doing wrong here…
Very simple form is adding slashes to special characters in the db i.e. that\'s entertainment

<?
if(isset($_POST['upload']))
{
	    include 'dbconnection.php';
$ttitle = mysql_real_escape_string($_POST['ttitle']);
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']);




	$query = "INSERT INTO test ( ttitle, ttitle2) ".
			 "VALUES ('$ttitle', '$ttitle2' )";




    mysql_query($query) or die('Error, query failed : ' . mysql_error());



    echo "<br>File uploaded<br>";
}		
?>

PHP.ini file: (ver 5.2.17)
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

…any ideas

chris_upjohn · February 28, 2012, 8:35pm

The mysql_real_escape_string function is the reason why, when inserting data into a database you should always escape anything that can disrupt the MySQL query including single quotes which would break you query because your wrapping the row value in single quotes.

Sent from my iPhone using Tapatalk

barney0o0 · February 28, 2012, 9:37pm

sorry, im a bit tired and things just go straight over my head… what should have i done?
Thanks in advance

chris_upjohn · February 28, 2012, 9:59pm

Sorry it’s hard to explain things when I’m on my iPhone, basically if you look at the following example you will see the issue straight away when using single quotes to wrap your data.

$query = "INSERT INTO test (name, bio) VALUES ('Chris', '[COLOR=#ff0000]I'm[/COLOR] Chris and [COLOR=#ff0000]I'm[/COLOR] a 20 year old web developer from Melbourne Australia')";

As you can see I’ve highlighted the problems in red which are un-escaped quotes which would cause a MySQL error, however when using the mysql_real_escape_string() function this is avoided because it knows to automatically escape anything that we don’t. When retrieving data from your database you can simply use the stripslashes() function would removes the backslash from the single quotes etc…

barney0o0 · February 29, 2012, 9:06am

Cheers, but im still a little confused

Ive had a look at some of my old database tables and, although ive used mysql_real_escape_string, there aren’t any \’ in the tables… similary, ive looked around, and isnt it true that its just escapes the string thats being inserted…and shouldnt actually be entered into the database?

Sorry, i didnt want this to be along thread…i just want to clarify before i run stripslashes() on data pulled from the database

B