Removing single quotes from variable

invision2 · January 20, 2009, 11:28am

Hi,

Very stupid question, but I’m having problems with the following.

I am storing the variable $descr which stores the data… ‘Just a Test Description. This isn’t on the live site just yet. Just for testing.’ which I wish to insert into my MySQL db.

My MySQL query is:
$query = “UPDATE rbox SET descr=‘$descr’ WHERE id = $id”;

I use mysql_real_escape_string on all my data going to the db, but I keep getting MySQL errors with that single quote on the word isn’t.
When it show’s the code back to me(in phpMyAdmin) it still remains isn’t instead of 'isn\'t. How do I remove the ’ single quote on entry ?

How do I best get rid of single quotes going into the database?

Thank you.

decowski · January 20, 2009, 11:33am

You’ll need to post some code. What you’ve posted isn’t even a valid string literal:


'Just a Test Description. This isn't on the live site just yet. Just for testing.'

And why would you want to get rid of single quotes? What you really want to do is escape them so that they don’t have a special meaning.

invision2 · January 20, 2009, 11:34am

Thanks for the reply!

Here’s some code I’m using…


$descr = 'Just a Test Description. This isn't on the live site just yet. Just for testing.';
$descr = escape_data($descr); // escape_data function uses mysql_escape_real_string

$query = "UPDATE rbox SET descr='$descr' WHERE id = $id"; 
mysql_query($query);

OK, cool, how do I escape them?

decowski · January 20, 2009, 11:40am

Is this the actual code? Because, as I said before, this is invalid syntax so PHP will throw a fatal error:


$descr = 'Just a Test Description. This isn't on the live site just yet. Just for testing.';

Apart from that it’s hard to say. Can you post escape_data() function’s source?

invision2 · January 20, 2009, 11:42am

The exact code is…

User enters a description here, like: Just a Test Description. This isn’t on the live site just yet. Just for testing.


<p>
<b>Description :</b><br /><textarea name="descr" id="descr" cols="35" rows="15"></textarea>
</p>

PHP then checks if it’s empty, escapes the data and stores it in the $descr variable name.


// Check for a description.
		if (!empty($_POST['descr'])) {
			$descr = mysql_real_escape_string($_POST['descr']);
		} else {
			$descr = FALSE;
			echo '<p><font color="red">Please enter a Description.</font></p>';
			exit();
		}

Function that escapes data using mysql_real_escape_string. This appears higher up in the script, in an include file.


// Create a function for escaping the data.
function escape_data ($data) {

// Use Magic Quotes.
if(ini_get('magic_quotes_gpc')) {
	$data = stripslashes($data);
	}

	// Check for mysql_real_escape_string() support.
	if (function_exists('mysql_real_escape_string')) {
		global $dbc; // Need the connection.
		$data = mysql_real_escape_string (trim($data), $dbc);
	} else {
		$data = mysql_escape_string (trim($data));
		}

		// Return the escaped value.
		return $data;

} // End of Function

decowski · January 20, 2009, 11:48am

You’re escaping the variable when checking if it’s been posted:


        if (!empty($_POST['descr'])) {
            $descr = mysql_real_escape_string($_POST['descr']);

So the later call to escape_data():

$descr = escape_data($descr); // escape_data function uses mysql_escape_real_string

is unnecessary and it may cause problems.

invision2 · January 20, 2009, 11:49am

OK, can you explain how I should I fix this?

Thanks for your help so far.

decowski · January 20, 2009, 11:50am

Try removing the call to escape_data() for starters since the var has been already escaped at that point.

invision2 · January 20, 2009, 11:55am

Hi Paul,

I removed the escape_data so it now reads just:
$descr = $_POST[‘descr’];

but I still get the SQL error on isn’t . Any ideas how I should proceed?

I’ve never encountered this error before using that function.

decowski · January 20, 2009, 11:57am

Read again what I wrote above. You’ve removed the wrong bit of code.

invision2 · January 20, 2009, 11:58am

Sorry, bit confused.

What should I remove?

Should it just be:


// Check for a description.
		if (!empty($_POST['descr'])) {
			$descr = $_POST['descr'];
		} else {
			$descr = FALSE;
			echo '<p><font color="red">Please enter a Description.</font></p>';
			exit();
		}

logic_earth · January 20, 2009, 11:58am


$s = 'Must escape \\'single-quotes\\' in a string delimited by single-quotes.';

decowski · January 20, 2009, 12:04pm

@logic_earth: It’s not the issue here. The data comes from a form, the string literal was just an example, I’ve already pointed out that it was invalid.

@invision2: Can you post the code in one piece rather than bits of it?

invision2 · January 20, 2009, 12:09pm

Hi Paul,

It’s a big script so I wanted to keep the size down.

	
include('../includes/functions.php');
	
// Check for a description.
if (!empty($_POST['descr'])) {
	$descr = $_POST['descr'];
} else {
	$descr = FALSE;
	echo '<p><font color="red">Please enter a Description.</font></p>';
	exit();
}

if ($descr) {

$query = "UPDATE brbox SET descr='$descr' WHERE id = $id";
echo $query; // these are just for displaying the query
exit(); // these will be removed in the final version
mysql_query($query);
}

Part of my HTML form…


echo '<form name="form1" method="POST" action="edit_rbox2.php?id=' . $_GET[id] . '" class="book">

<b>Description :</b><br />
<textarea name="descr" id="descr" cols="35" rows="15"></textarea>';

<input name="submit" type="submit" class="submit" value="Update">
<input type="hidden" value="form1">
<input type="hidden" name="submitted" value="TRUE" />

The form is submitted OK, but just having issues ‘escaping’ the data

Stormrider · January 20, 2009, 12:15pm

Now you don’t seem to be escaping anything at all. The suggestion was to remove the call to escape_data(), not both escaping functions.

decowski · January 20, 2009, 12:17pm

As Stormrider says: you’ve removed both escaping functions. Keep mysql_real_escape_string() call and only remove escape_data().

invision2 · January 20, 2009, 12:18pm

Stormrider, can you post the code I should try. I’m getting confused between what I should remove etc.
Head’s just not there today.
Thank you.

invision2 · January 20, 2009, 12:21pm

OK, now with my code as:

// Check for a description.
		if (!empty($_POST['descr'])) {
			$descr = mysql_real_escape_string($_POST['descr']);
		} else {
			$descr = FALSE;
			echo '<p><font color="red">Please enter a Description.</font></p>';
			exit();
		}

I still don’t see any data getting escaped, it still displays isn’t .

Should I remove my ‘escape_data’ function completely from the web page, even if I’m not using it?

decowski · January 20, 2009, 12:21pm

You need to connect to the db before using mysql_real_escape_string() – I think that was your problem:


include('../includes/functions.php');

// Check for a description.
if (!empty($_POST['descr'])) {
    mysql_connect('host', 'user', 'pass');
    $descr = mysql_real_escape_string($_POST['descr']);
} else {
    $descr = FALSE;
    echo '<p><font color="red">Please enter a Description.</font></p>';
    exit();
}

if ($descr) {

$query = "UPDATE brbox SET descr='$descr' WHERE id = $id";
echo $query; // these are just for displaying the query
exit(); // these will be removed in the final version
mysql_query($query);

invision2 · January 20, 2009, 12:26pm

Nope, don’t think that’s it either. As I’m definitely connected to the database at that point.
My db connection function is IN the functions.php script and displays db material before the form is submitted.

I’m afraid I’m all out of ideas on this one.