I really am trying to do this on my own but I can’t find anything on here or the net to deal with this issue. I have a post form to modify data but when I try to Update I get nothing if there is an apostrophe in the data. I figured this needed to be sanitized but I have tried two different methods, which allow it to write, but instead of an apostrophe I get &-#39; (without the hyphen) instead. Can anyone help me with what I’m doing wrong?
It’s only the first three fields that might have an apostrophe.
$_POST['partist'] = filter_var($_POST['partist'], FILTER_SANITIZE_STRING);
$_POST['ptitle'] = filter_var($_POST['ptitle'], FILTER_SANITIZE_STRING);
$_POST['pfolder'] = filter_var($_POST['pfolder'], FILTER_SANITIZE_STRING);
and
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$UpdateQuery = "UPDATE musictest SET artist = '$_POST[partist]', title = '$_POST[ptitle]', folder = '$_POST[pfolder]', time = '$_POST[ptime]', dance = '$_POST[pdance]', date ='$_POST[pdate]', position = '$_POST[ppos]', acdate = '$_POST[pacdate]', acpos = '$_POST[pacpos]', apdate = '$_POST[papdate]', appos = '$_POST[pappos]', cdate = '$_POST[pcdate]', cpos = '$_POST[pcpos]', ddate = '$_POST[pdate]', dpos = '$_POST[pdpos]', hdate = '$_POST[phdate]', hpos = '$_POST[phpos]', pdate = '$_POST[ppdate]', ppos = '$_POST[pppos]', rdate = '$_POST[prdate]', rpos = '$_POST[prpos]', odate = '$_POST[podate]', opos = '$_POST[popos]', kdate = '$_POST[pkdate]', kpos = '$_POST[pkpos]' WHERE count = '$_POST[pcount]'";
mysqli_query($conn, $UpdateQuery);
I also just noticed that if I read the data back in from the database there is nothing when the ascii code is.
I haven’t done much with this, but looking at a few searches it seems this is what is intended - it’s translating the apostrophe character to it’s HTML token (the apostrophe is ASCII 39). There is talk of magic quotes and other magic, but it seems that some tags will be removed, and some translated. Have a play with the other parameters for filter_var().
You’re doing nothing inherently wrong. &# ; is the HTML Special Character code set. #39 is an apostrophe as you expect.
When a browser reads an HTML Special Character, it will translate it into the symbol represented (as i’m sure you’ve found out, by having to put a hyphen into your post!)
Your references to the post array in your query, however, are incorrect.
Firstly, if you are going to use this much user input i’d suggest using Prepared Statements. But assuming you dont want to do that, a string encapsulation for an array reference must either break the string or be surrounded by {}.
So:
$UpdateQuery = "UPDATE musictest SET artist = '$_POST[partist]', ....
=>
$UpdateQuery = "UPDATE musictest SET artist = '".$_POST['partist']."', ....
OR
$UpdateQuery = "UPDATE musictest SET artist = '{$_POST['partist']}', ....
' is the entity for an apostrophe. and the apostrophe is replaced by filter_var().
but anyways, you wouldn’t have to sanitize strings if you used Prepared Statements.
note: the typographically correct apostrophe would be ’ (U+2019).
@StarLion and @Dormilich Gentlemen, thanks so much for your help. I assure you that it’s not that I didn’t WANT to prepare statements. I just never grasped how to do it. I’m 65, self taught hack and I could read PHP.net all day and never glean a clue as to what I was supposed to do. I find videos on YouTube easier to understand. I spent today reading and then finally found 3 videos and I think I have a rough idea.
But I do have a question for either of you. I have 25 fields in my form. To make this happen does that mean that I need to start with (‘s x27’) to take care of everything? The ‘Count’ is a record number that comes out of the db to point to where the modifications need to be written to and is never visible to the user. If you can just help me over this hump I think I’ll be ok on my own.
Thanks in advance.
s x27 ?
without knowing what exactly you want to do or how your table is set up, it’s hard to advise anything.
Sorry @Dormilich what I was saying is at the beginning of the bind_param statement do I need to have an equal number of ‘string’ “S” as the number of items?
(let’s assume the all your data are strings)
you need as many s as you have question mark placeholders. i.e. if you only insert 10 values (of the possible 25) then you need only 10 s. essentially, the number of type designators must exactly match the number of placeholders)
note for other readers, we’re talking about the MySQLi extension here, PDO would solve the problem differently.
Which obviously they arent.
(and better, since mysqli::bind_param refuses to take an array)
assumption make explanations easier, esp. when you have to explain basics.
call_user_func_array()
@StarLion and @Dormilich again thanks for your help. I think I have the code right but I keep getting an error “Call to a member function bind_param() on a non-object”. I’m sure it’s a typo and I just have to find it. It’s a long line.
I mean no disrespect to either of you but this is a problem I am finding all over the net. Constant disagreement to all out wars as to the benefits of PHP vs PDO. From my perspective, I’m just learning PHP so references to PDO only confuses me more. This is absolutely not unique here but it really makes it discouraging to a newbie.
That said, I do appreciate your help.
Well it’s not PHP vs PDO, (PDO = PHP Data Objects); PDO is (in general) an abstraction layer generally designed to make code more adaptable to environments…
I just dislike the clunkiness of trying to dynamically bind parameters using mysqli_, and it’s personal preference.
As for bind_param’ing a non-object, it generally means your database connection attempt failed, or you typoed the name of the connection variable.
@StarLion Boy do I have egg on my face. When I first stumbled across PDO I got the understanding that it was a similar but separate language. One of the biggest draw backs of being self taught via the net. In a class you can raise your hand and ask a question. Thanks for taking the time to straighten me out.
I spent the day working on that prepare statement yesterday and can’t for the life of me figure out what’s wrong. I skipped a couple of PDO videos the other day. Perhaps it’s time to go back and watch those. Again, thanks for the help.
I am also self-learning PHP, went through a book which due to its age taught the mysql functions, then I came here and saw that it wasn’t the best way nowadays. I plumped for PDO purely because of its ability to connect to things other than MySQL, which might conceivably be an advantage for me at some point.
Anyhow, if you still can’t see it, post the code you’re getting the error message with, often you can stare at your own code for hours and not notice something that a fresh pair of eyes might spot immediately.
Absolutely no problem. I am mostly self-taught myself (granted i’ve been doing it for… anyway lets not focus on that).
My basic learning strategy was: Look at other peoples’ code and decipher what it did; or “I want to make it do X… is there a function in the manual that does something like that”
And yes, I have lost many hours to the ‘cant see your own mistakes’ problem as well.
If you get stuck on your PDO attempt Jim, feel free to post it and we’ll take a look.