Msg#: 4020847 posted 3:14 am on Nov 7, 2009 (gmt 0)
I have a fair knowledge of PHP and MYSQL, but having lots of escape issues when used with forms. Take a simple name and address database with the name John O'Conner. $fullname = "John O'Conner"; $result = mysql_query("update namedb SET name = '".mysql_real_escape_string($fullname)."' WHERE key = 33 LIMIT 1;");
Now I'll display that in a FORM text field:
$result = mysql_query("select name from namedb WHERE key = 33"); $row = mysql_fetch_assoc($result); <form ...> Updated Name: <input type="text" name="fullname" value="<? echo $row['name']; ?>"> </form>
I get this:
Updated Name: John O
Everything after the "O" is gone. If I look at the source, the full name is there. So I change my code by changing the the double quotes to singles right before the PHP code:
I get the name returned properly. However, if I change John O'Conner to John O"Conner, I have the same exact problem. I could filter out the quotes, but I have other fields that can have either a single or double quote. What is the solution here? Or what am I doing wrong?