Inserting special character like apostrophes with PHP/Mysql

Report · Sep 20, 2011

Hi friends,

I have a problem with php/mysql. I have created a form inton a php page with dreamweaver and when i try to fill the form with a string containing apostrophe ( ' ), i have a error. It seems that the insertion is not possible. Could you have any idea for that. I give you the php dreamweaver code and thank you for your help.

<?php require_once('Connections/Mainconnect.php'); ?>

<?php require_once('Zend/Date.php'); ?>

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

if (PHP_VERSION < 6) {

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

break;

case "date":

if ($theValue=="")

{

$theValue="NULL";

}

else

{

$zendDate=new Zend_Date($theValue,"dd/MM/yyyy");

$theValue="'".$zendDate->toString("yyyy-MM-dd")."'";

}

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {

$updateSQL = sprintf("UPDATE pers_soc_reg SET field1=%s, field2=%s,

GetSQLValueString($_POST['field1'], "text"),

GetSQLValueString($_POST['field2'], "double"));

Report · Sep 20, 2011

What is the error you are receiving?

Report · Sep 20, 2011

The error is in French. It means that there is a mistake near the cote. For example, in field 1 of the form when i put "L'amine" , It tells me there is an error near "amine".

Report · Sep 20, 2011

Apostrophes and quotations must be "escaped" before submission to the database. You can use mysql_real_escape_string() for this.

Or you can use entities (')

Or you can use PDO with bound variables

Report · Sep 20, 2011

My problem is HOW to put that in the code above ??? I have tried many solution but no result.

Report · Sep 20, 2011

Do you have any idea ?

Report · Sep 20, 2011

Your variables are coming from a $_POST array, correct? The code you provided doesn't reveal the whole picture (and I never use DW to write code, so I am not very familiar with the particulars of how DW builds the logic)

You can perform the following on the POST array:

foreach ($_POST as $key => $value) {

if (!is_array($value)){

$_POST[$key] = mysql_real_escape_string($value);

}}

Report · Sep 20, 2011

Rob, it's already in his code:

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

DW puts that in that's why I asked about the error. Based on your code we should only be looking at $_POST['field1'] that the only other field (field2) is an integer. The fact that this function isn't working is troubling and makes me think about the server configuration.

Report · Sep 20, 2011

SnakEyez, I saw that line but it seemed weird to me. That's why I avoid code written by DW.

Report · Sep 20, 2011

Normally, you cannot use "mysql_real_escape_string" without connection to database ("mysql_pconnect"). but here it's not the case. My first line is:

<?php require_once('Connections/Mainconnect.php'); ?>

Report · Sep 20, 2011

friends, we will follow the discussions tomorow. If you have any idea, you can post it, and i will try it tomorow.

Thanks for your help.

Report · Sep 20, 2011

"Normally, you canot use mysql_real_escape_string without connection to database"

That is not true at all. Try running the following script.

<?php

if ($_POST['submit']){
$x1=$_POST['test1'];

foreach ($_POST as $key => $value) {
if (!is_array($value)){
$_POST[$key] = mysql_real_escape_string($value);
}}
extract($_POST);
echo "The text after 'becomes' should be escaped (\')<br/>";
echo "$x1 becomes $test1<br/>";
}
?>
<hr/>
<form action="#" method="post" />
Enter some text, including an apostrophe: <input name="test1" type="text"><br/>
<p><input name="submit" value="submit" type="submit"/>

</form>

Report · Sep 20, 2011

Hello Rob,

That's the message that i have after entering the word " l'amine "

The text after 'becomes' should be escaped (\')

l'amine becomes

Report · Sep 21, 2011

Hello Friends,

I have solved the problem .

The problem was an free extension to dreamweaver called "Check new elements" from Felixone. After removing it, all forms work without problem.

Thank you all.

Report · Sep 20, 2011

Thanks for your reply Rob, but it doesn't work. I think that the problem is coming from this part :

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

Because "field1" is submitted as text in the script.

Report · Sep 20, 2011

I have verified for the server parameters and the mysql connection is working well !!!

Inserting special character like apostrophes with PHP/Mysql

1 Correct answer