Problem with quotes

Koora · May 28, 2010, 10:38pm

Hey
I’m trying to build a SQL query, but Aptana gives me in this line syntax error.
I know the problem is with the quotes, but I can’t fix it.


$query1 = "INSERT INTO clients (firstname, lastname, address) VALUES ('$_POST['firstname']', '$_POST['lastname']', '$_POST['address']')";

Koora · May 29, 2010, 9:55am

Yes,
thank you.

system · May 29, 2010, 4:49am

use extract($_POST) and use instead $address of $_POST[‘address’]

jsbarra · May 28, 2010, 10:45pm

$query1 = "INSERT INTO clients (firstname, lastname, address) VALUES ('".$_POST['firstname']."', '".$_POST['lastname']."', '".$_POST['address']."')";

I should mention you should sanitize your data before plugging it direclty into your table. Something like this:

function escape_data ($data) { 
	
	if (ini_get('magic_quotes_gpc')) {
		$data = stripslashes($data);
	}
	
	return mysql_real_escape_string (trim($data));
} 


$query1 = "INSERT INTO clients (firstname, lastname, address) VALUES ('".escape_data($_POST['firstname'])."'.....";

Raju_Gautam · May 29, 2010, 10:43am

For future string manipulations in PHP, see http://php.net/manual/en/language.types.string.php this page once in the manual where you can see lots of examples to understand.

rpkamp · May 29, 2010, 10:36am

No, use jsbarra’s escape_data function and then


$address = escape_data($_POST['address']);
$firstname = escape_data($_POST['firstname']);
// etc

extract() is among the function I consider evil (when used for the wrong reasons, like extracting $_POST, which is kind of like using register_globals, and that is also evil).

Topic		Replies	Views
Problem with mysqli_real_escape_string PHP	4	1268	March 12, 2016
Alphabetize when some data contains single quote? Databases	5	598	March 15, 2010
How to safely accept quotation mark and output safely PHP	10	3988	December 30, 2015
Double quotes getting removed in query PHP	16	10401	December 18, 2014
PHP/mysql insert problem PHP	1	363	July 8, 2010

Problem with quotes

Related topics