Putting a ' in mysql database field?

Forum Moderators: coopster

Message Too Old, No Replies

Putting a ' in mysql database field?

User adds text like "Good's" php writes "Good"

lasko

7:55 am on Aug 30, 2003 (gmt 0)

All my online databases contain large descriptions of hotels and directions etc.

My problem is that when we enter a word which contains a '
like "I have Good's" in a sentence php only adds the text before this "I have Good" and stops.

I need to include the ' and the text afterwards, so we and the gerneral public can add normal text into our mysql database through a normal html form.

What am I doing wrong my code is basic php where the sql command just writes to the database anything that was in the $text.

Can it be done?

Thanks

Dolemite

8:10 am on Aug 30, 2003 (gmt 0)

You need to escape characters like ' and ". Insert addslashes [ca.php.net]($text) to your db, rather than just $text and you should be set. You may or may not need to stripslashes [ca.php.net] on output.

Actually, first you should use PHPMyAdmin to browse or just SELECT and echo the relevent fields from the db to make sure what's actually getting there. Sometimes when you do something like this:

<input type="text" value="<? echo $row['column'];?>">

...and $row['column'] contains a quote, it looks like you only got the section of the string before the quote in the db, but really the quote is screwing it up. The pure HTML would look like this:

<input type="text" value="pre quote" post quote">

You can address that issue by using quote and single quote characters in a logical way when combining HTML and db output, or maybe htmlspecialchars [ca.php.net].

lasko

10:14 am on Aug 30, 2003 (gmt 0)

Thanks

Done it,

I now do this

$text = addslashes($text);

The output does not require the stripslashes.

My big book does not contain this feature and I found the Php manual a little vague sometimes I feel the Php manual is created for those who already know.

The problem with Php is that the more you learn the more the more you realise how much else their is to learn :)

adamas

8:47 am on Sep 3, 2003 (gmt 0)

If you don't have total control over the settings of php on your server I'd recommend making addslashes conditional on the return value of get_magic_quotes_gpc(). (Nice conditioned response - wanted to put a semi-colon at the end of the sentence!)

Just a reminder that in any script, and especially one you are expecting the great unwashed to be using, DO NOT TRUST THE INPUT. addslashes() is a good start but you might want to use it on all input not just those fields you are expecting may contain ' (certainly if you're not performing any other sanity checks)

Be paranoid.

vincevincevince

9:01 am on Sep 3, 2003 (gmt 0)

addslashes() is reasonable
but for mysql - use mysql_escape_string

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query().

this will make it even safer to use in mysql.

also see mysql_real_escape_string() if you are fussy about character sets.