Form to DB - Back to basics

**barney0o0** · Feb 28, 2012 14:25

I don't know what im doing wrong here..
Very simple form is adding slashes to special characters in the db i.e. that\'s entertainment

PHP Code:


<?

if(isset($_POST['upload']))

{

        include 'dbconnection.php';

$ttitle = mysql_real_escape_string($_POST['ttitle']); 

$ttitle2 = mysql_real_escape_string($_POST['ttitle2']); 









    $query = "INSERT INTO test ( ttitle, ttitle2) ". 

             "VALUES ('$ttitle', '$ttitle2' )";

             

            





    mysql_query($query) or die('Error, query failed : ' . mysql_error());                    





    

    echo "<br>File uploaded<br>";

}        

?>

PHP.ini file: (ver 5.2.17)
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

..any ideas

**chris.upjohn** · Feb 28, 2012 14:35

The mysql_real_escape_string function is the reason why, when inserting data into a database you should always escape anything that can disrupt the MySQL query including single quotes which would break you query because your wrapping the row value in single quotes.

Sent from my iPhone using Tapatalk

**barney0o0** · Feb 28, 2012 15:37

sorry, im a bit tired and things just go straight over my head...

what should have i done?
Thanks in advance

**chris.upjohn** · Feb 28, 2012 15:59

Sorry it's hard to explain things when I'm on my iPhone, basically if you look at the following example you will see the issue straight away when using single quotes to wrap your data.

Code:

$query = "INSERT INTO test (name, bio) VALUES ('Chris', 'I'm Chris and I'm a 20 year old web developer from Melbourne Australia')";

As you can see I've highlighted the problems in red which are un-escaped quotes which would cause a MySQL error, however when using the mysql_real_escape_string() function this is avoided because it knows to automatically escape anything that we don't. When retrieving data from your database you can simply use the stripslashes() function would removes the backslash from the single quotes etc...

**barney0o0** · Feb 29, 2012 03:06

Cheers, but im still a little confused

Ive had a look at some of my old database tables and, although ive used mysql_real_escape_string, there aren't any \' in the tables.... similary, ive looked around, and isnt it true that its just escapes the string thats being inserted...and shouldnt actually be entered into the database?

Sorry, i didnt want this to be along thread...i just want to clarify before i run stripslashes() on data pulled from the database

B

User Tag List

Thread: Form to DB - Back to basics

Thread Tools

Display

Form to DB - Back to basics

Bookmarks

Bookmarks

Posting Permissions