This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
So I've got this problem where I can't seem to insert texts into my database which contain the following character: ' (as in for example: It's). I've had this problem before and I just stripped the symbol, but now I really need a solution and nowhere on the entire web or stack overflow I can't seem to find a decent and clear answer.
This is how my data is displayed:
HTML
<textarea name="text_from_form">
This is the kind of stuff I need and It's awesome (user input example)
</textarea>
PHP
<?php
$my_text = $_POST["text_from_form"};
$my_text_new = htmlentities($my_text);
$sql = "INSERT INTO tableName (text)
VALUES ('$my_text_new')";
?>
THE ERROR
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's awesome ')' at line 2
Thank you in advance for the help!
The htmlentities() function doesn't escape single quotes ' in default flag (ENT_COMPACT), use htmlentities($text, ENT_QUOTES) or function mysql_real_escape_string() or mysqli_real_escape_string() depending on which library you use.
Related
This question already has answers here:
Whats the difference between {$var} and $var?
(5 answers)
Closed 5 years ago.
I am a newbie and try to learn PHP especially INSERT INTO statement. I'm know that if we insert value for String we must use '' syntax. But i don't understand meaning of {} syntax for "title" and"link". Any guys can explain for me. Thanks a lot.
On Sql side there is no difference between '$title' or '{$title}' . but in php {$title} is a more complete syntax of $title, that allows one to use :
"this is post {$title}s"
"{$object->data}"
"{$array['data']}"
"{$array['data']->obj->plop['test']}"
The curly braces "escape" the PHP variable and are not passed to MySQL. With a simple variable like $title it doesn't make a difference but with something like $post['title'] it does. for more information check this
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database
$b = "select * from doc";
$rez1 = mysql_query($b) or die("<span>error</span>");
I'd recommend using escaping methods instead of manipulating the input.
This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)
Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead.
If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()
Otherwise, you could use a regex that repaces ' with \' -
preg_quote()
$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;
will return:
Something with \'quotes\'
Which will cause no problem during the insertion.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I want to do an INSERT into a MySQL database using:
$sql = "INSERT INTO table (title1) VALUES ('$myVar')";
but the problem is $myVar can contain the single quotes (' symbols, e.g. in "idiot's"). Can somebody tell me how to handle any single quotes in the variable as a letter and not as a piece of code?
(I know there are posts about this in the forum already, but I do not really understand their solutions, so sorry for double posting)
You might be temped to replace each single quote with two of them.
like so
$myvar = "idiot\'s";
But resist the urge and escape it instead:
<?php $var = "Hello !! idiot's";
mysql_real_escape_string($var);?>
Or even better, use PDO
Use mysqli_real_escape_string like this:
$myVar= mysqli_real_escape_string($link,$myVar);
and then your query.
It is advisable to use PDO too!
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I JSON decode a page with PHP, but sometimes there's a name like 'M'gladbach' or 'Côte d'Ivoire' and then the SQL sees the first single quote as a stop so it gives me the error after the 'Côte d' Can somebody help me with this problem ?
I know you can do 'Côte d''Ivoire' but as I get all the info from a API I can't put double quotes in it. Thanks a lot.
use double quotes
"M'gladbach"
The proper way to do it is
$item = "Côte d'Ivoire";
$escaped_item = mysqli_escape_string($item);
printf("Protected string : %s\n", $escaped_item);
Now it is safe to put e.g. in a database.
This question already has answers here:
php echoing angle brackets
(4 answers)
Closed 9 years ago.
Example data in my database:
blabla<blabla
I use phpmyadmin and can see that the data has been input successfully.
However when I try to display the data what I get is:
blabla NOT blabla<blabla
In other words, everything after the < symbol does not display.
<?
while ($mouselist_row = mysql_fetch_array($mouselist)) {
$mouselist_commonstrain = mysql_real_escape_string($mouselist_row['Common_Strain']);
echo "$mouselist_commonstrain.";
}
?>
I tried using mysql_real_escape_string.
Is there something in particular needed to display the <?
thanks
You want something like:
echo htmlspecialchars($mouselist_commonstrain);
(It needs to be HTML escaped.)
try this
$mouselist_commonstrain = stripslashes(htmlspecialchars($mouselist_row['Common_Strain']));
Your problem isn't escaping SQL but HTML. As answered in this question you can use htmlspecialchars function.