[RESOLVED] PHP and MySQL apostrophe issues

mpar612

Hi everyone,

I am pulling data from MySQL and placing it into form fields for the user to update. If there are apostrophe's in any of the field's, except the description field, I get a DB Error: Syntax error. I thought using a place holder would eliminate this and it does for description, but not for anything else. If I put a "\" in front of the apostrophe's everything works. Any ideas?

Thanks!

Here is my code:

	$isbn = $_POST['isbn'];	
	$artist_name = htmlentities($_POST['artist_name']);
	$album_title = $_POST['album_title'];
	$album_title = $_POST['album_title'];
	$release_date =	$_POST['release_date'];
	$description = nl2br(htmlentities($_POST['description']));
	$price = $_POST['price'];

$sql_update = "UPDATE lounge SET artist_name = ?, album_title='$album_title', release_date='$release_date', add_date='$add_date', description = ?, price='$price' WHERE isbn = $isbn";
$db->query($sql_update, array($artist_name, $description));

cheerio

addslashes() and stripslashes()

I honestly don't really understand wha tyou mean, but try that

mpar612

Thanks, but that did not really do what I wanted it to do. Maybe I didn't explain my problem well enough.

I am pulling data from MySQL and placing it into form fields for the user to update. If a user modifies information and includes apostrophe's in any of the fields a "DB Error: Syntax error" is displayed after the user clicks the submit button. I thought using a place holder would eliminate this and it does for text entered into "description", but not for text entered anywhere else. However, if a user puts "\" in front of the apostrophe's (e.g. let\'s) everything the form works well.

I hope I explained this better.

Thanks!

ClarkF1

Yep you need to use addslashes on all the form fields when a user is submitting a form that will insert/update data in the database.

When retrieving that information, you need to use stripslashes before displaying it.

It's because the query sees the apostrophe in the fieldname as the end of the string

e.g.

$name = "Clark's Post";

" SELECT * FROM db WHERE name='$name' "

When you send the query it parses the string so the database sees:

" SELECT * FROM db WHERE name='Clark's Post' "

Everything after the second apostrophe is invalid syntax hence the error.

When the query

If you use addslashes on the form when adding data, the user won't need to use a \ in a search form.

mpar612

Great, thanks! That did it.