Single quote insert problem

Hi,

can anyone help? I can’t seem to get the single quotes to insert in a (daylog)textarea. I’m using the $daylog = mysql_real_escape_string($daylog);…am I missing something? Thanks much in advance! Fagin



if ($go_on == true) {
    if (isset($_POST['submit'])) {
        $member = $_SESSION['login_id'];

        $recurrence_state = '';
        if ($recurrence = method_vars('recurrence') and
                $recurrence == 'permanent') {
            $recurrence_state = 'permanent';
        } 
      $daylog = mysql_real_escape_string($daylog);
        echo "<p><b>" . $txt["Following_App_Added"] . ":</b></p>\
<p>";
        for ($i = 0; $i < $num; $i++) {
            $ins = "INSERT INTO " . $table . " (name,
                                                address,
                                                type,
                                                daylog,
                                                cap, 
                                                type,
                                                block,
                                                state) 
                    VALUES ('$member[$i]',
                            '$address',
                            '$type',
                            '$daylog',
                            '$cap', 
                            'guard',
                            '" . method_vars('block') . "',
                            '" . $state . "')";


What is the actual value of the variable $daylog at the point when you’re passing it to mysql_real_escape_string()?

The value of $daylog could be anything a user would like to enter in the textarea…It could be “Jame’s input was well received” for example.

Right. I guess my point was to determine if the variable $daylog actually contains data going into the function. Then, look at the data coming out of the function. Is it performing as you expected?

I generally use addslashes() as part of my data cleanup process before sending it to the database.

I think Jeff was asking to check the actual value of $daylog, not what it should be.

Perhaps try this to help debug your code


echo '$daylog (before) = '.$daylog.'<br />';

$daylog = mysql_real_escape_string($daylog);

echo '$daylog (after) = '.$daylog.'<br />';
die();

Not all of this is your issue, though they could be contributing to code problems in general.

  1. there is no “and” in php or other c dialect languages
    http://php.net/manual/en/language.operators.comparison.php

  2. some consistent formatting/indentation might make it clearer what’s going on.

  3. if $go_on is a bool, (or at least will return false for false) there’s no reason to ==

  4. you should probably choose a method of string formatting and stick with it, instead of using four different methods of string building in one declaration. You’ve got some where you close the “” and add, you’ve got some where you don’t, you’ve got some where you array, some where you don’t… It’s a confusing mess.

  5. this is your most likely culprit
    ‘$member[$i]’

That’s inside double quotes, and double quote escapes cannot resolve array indexes by another variable… which is part of why I think it’s silly to even use double quotes in the first place in PHP for strings except when you really want to manually escape chars, or when you want single quotes without escapes.

something more like:


if ($go_on) {
	if (isset($_POST['submit'])) { 
	
		$member = $_SESSION['login_id']; 
		
		$recurrence_state=( 
			($recurrence=method_vars('recurrence')) &&
			($recurrence=='permanent')
		) ? 'permanent' : '';
		
		$daylog=mysql_real_escape_string($daylog); 
		
		echo '
			<p>
				<b>',$txt[Following_App_Added],':</b>
			</p>
			<p>';
			
		for ($i=0; $i<$num; $i++) { 
			$ins = "
				INSERT INTO ".$table."
				(
					name, 
					address, 
					type, 
					daylog, 
					cap,	
					type, 
					block, 
					state
				)	VALUES (
					'".$member[$i]".', 
					'".$address."', 
					'".$type."', 
					'".$daylog."', 
					'".$cap'",  
					'guard', 
					'".method_vars('block')."', 
					'".$state."'
				)"; 

Would probably work… though honestly, do yourself a favor, get OUT of 2003, and switch to mysqli or PDO, then you don’t have to worry about nonsense like mysql_real_escape_blah_blah_blah_namespace_too_blasted_long thanks to prepared queries. PDO’s ability to pass the array as the parameter and to re-use the same query would really be sweet in a case like this.


if ($go_on) {

	if (isset($_POST['submit'])) { 
	
		$member = $_SESSION['login_id']; 
		
		$recurrence_state=( 
			($recurrence=method_vars('recurrence')) &&
			($recurrence=='permanent')
		) ? 'permanent' : '';
		
		echo '
			<p>
				<b>',$txt[Following_App_Added],':</b>
			</p>
			<p>';
			
		$statement=$dbPDO->prepare("
			INSERT INTO ".$table."
			(name,address,type,daylog,cap,type,block,state)
			VALUES
			(?,?,?,?,?,?,?,?)
		";
			
		for ($i=0; $i<$num; $i++) { 
			$dbPDO->execute(array(
				$member[$i], 
				$address, 
				$type, 
				$daylog, 
				$cap,  
				'guard', 
				method_vars('block'), 
				$state
			)); 

There’s a reason the normal mysql_ functions should have gone the way of the dodo along with php4.

Gosh!

Sorry y’all

There was nothing wrong with my $daylog = mysql_real_escape_string($daylog);

I just was adding it to the wrong table!

Too many tables on one page and not enough coffee!

Thanks everyone for your help.

For debugging purposes you may want to start echoing the MySQL error information if the query fails. If you were doing that, you would have noticed exactly what the problem was and saved yourself a whole lot of time. :slight_smile:

In PHP you can actually use the words ‘and’ and ‘or’:


<?php

$one = true;
$two = true;

if($one and $two) {
    echo "They're both true!";
} else {
    echo "At least one of 'em isn't true!";
}

?>

My bad, I missed the Logical Operators section – though reading over the explanation of what makes them different from the Bitwise operators… they don’t seem particularly logical; well, unless you’re used to reverse polish notation.

I’d still avoid them. Too ambiguous. I mean:

$e = false || true; // returns true
$f = false or true; // returns false?!?
$g = true && false; // returns false…
$h = true and false; // returns true?!?

Ouch… no wonder I’ve NEVER seen them used in PHP code despite working in PHP for six to eight years.

Yeah, this comes from the premise that = has a higher precedence than ‘or’ or ‘and’.
thus, $f = false or true; is interpreted as ($f = false) or true; and is why you see things such as
$res = mysqli_query($query) or die(“Query failed!”);
Because precedence will evaluate $res = first. (If it evaluated the ‘or’ first, $res could only be assigned a boolean value.)

Personally, I always stick to && and ||. (Which have higher precedence than =)