[RESOLVED] SQL errors when entering apostrophe in form - how can I workaround?

lvictor

Using a form to add data to a mysql database, however, whenever someone uses an apostrophe in a text field, I get "check the manual for the right syntax to use near 's ". Looks like it's tripping up the PHP in the form. Any ideas/workarounds for this issue? Thanks!

laserlight

If you are using the MySQL extension, use [man]mysql_real_escape_string/man on string values to ensure that the incoming data is properly escaped.

If you are using the MySQLi or PDO extensions, use prepared statements.

I suggest using the PDO extension if you can.

rulian

I use htmlentities($mystring, ENT_QUOTES)
converts all non alphanumerical characters to HTML code so "'!z<ba will be entered

laserlight

I would not recommend rulian's solution. The use of the database extension specific string escaping function is better, and the use of prepared statements is even better.

The correct use of htmlentities() would be to prevent malicious code injection for text that is displayed to the user. In this case, you really want to prevent SQL injection.

bradgrafelman

laserlight's right, because quotes aren't the only thing that can cause issues in SQL queries.

lvictor

Thanks, I'm going to give mysql_real_escape_string() a shot.

....and it worked beautifully! Never used this command before, so I was unsure as to the syntax, but a little poking around elsewhere on phpbuilder cleared that up. :o