The best way is to not use the deprecated mysql() functions, and instead use prepared statements and bound parameters with either the mysqli() functions or the PDO classes/functions. If, however, you are going to stay with mysql*() stuff, then use the mysql_real_escape_string() function to sanitize text inputs.

$sql = "INSERT INTO $table_name
(id, name, address1) VALUES
('', '".mysql_real_escape_string($_POST[name])."', '".mysql_real_escape_string($_POST[address1])."')";

There are possibly cleaner/easier-to-read formats (maybe using sprintf()), but that's the basic idea.

When posting code, please use the code formatting tags described in the FAQs to format your code and make it easier to read.

Your clearest problem is that you're using the obsolete [thread=10387467]MySQL[/thread] extension (which was removed in PHP 7), instead of one of the others ([man]MySQLi[/man] or [man]PDO[/man]): Both of those have facilities to automatically escape strings for insertion into queries.

The other problem may be here:

 <input type="text" name="address1'. '" size=35 maxlength=75></p> 

[font=monospace]address1'. '[/font] seems like an odd name for a form field, what with the apostrophe and full stop on the end there.

I've been travelling so just got to what you helped me with and it worked, but now when I try to implement it to my modify a contact script, I can't seem to get it to cooperate. Also, I'm not sure how to post code on this site in the editor, so my apologies in advance, but here's what is not cooperating:

$sql = "UPDATE $table_name SET
order_name = '".mysql_real_escape_string($POST[order_name]."',
date_taken = '".mysql_real_escape_string($POST[date_taken]."',

Spencer;11065719 wrote:

Hi there:

I have been trying to escape a single quote. I have read up so much on this and have gone to many websites. I was getting a syntax error when posting in "address1" and now I don't, but nothing is sent to the database. Here is the output: (and yes, it is connecting to MySQL before script) Do I need to have escape_data at $_POST .... ? Please if someone knows what the heck I'm doing wrong, I would love to know. Thanks in advance

$sql = "INSERT INTO $table_name
(id, name, address1) VALUES
('', '$POST[name]', '$POST[address1]')";
$result = @($sql,$connection) or die(mysql_error());
?>
<html>
<head>
<title>Address Added</title>
</head>
<body>
<h1>added</h1>
<h2>added</h2>
<p>added successfully</p>

<h2><em><? echo "$POST[name]"; ?>
<? echo "'" .escape_data($POST[$address1]). "'"; ?></em></h2>

Here's input fields that coincide with the above variables name and address1:

<p><strong>First Name:</strong><br>
<input type="text" name="name" size=35 maxlength=50>

<p><strong>Address:</strong><br>
<input type="text" name="address1'. '" size=35 maxlength=75></p>

Well, you don't say what's happening, but I do see you're missing a couple of [font=monospace])[/font] characters there.

Use [noparse]

 to start a code section, and 

to end it.[/noparse]

If you're having syntax issues, echo your query to the screen/standard output and paste it here inside those tags. This provides syntax highlighting to viewers (like you, and us, too) that might help us to analyze your difficulty. Quotes in strings do give programmers fits fairly often.

This looks bogus:

<? echo "$_POST[name]"; ?>

The opening tag is a short tag; I'll assume that's ON in your configuration (a modern PHP installation has this option OFF by default). You can't put quotes around a complex variable like $POST[name'] --- and I'm fairly certain you want $POST['name'] anyway. The simplest way:

<?php

echo $_POST['name'];

If you have a legitimate need to put the variable inside double quotes, you can use curly braces to help the parser:

<?php

echo "Welcome to our website, {$_POST['name']}!!";

But most people would probably write this instead:

<?php

echo "Welcome to our website, ". $_POST['name'] . "!!";

Heh...new forum software apparently does not know about noparse tags. It does, however, know about markdown now.

<?php
echo "Hello, World!";

I just posted elsewhere ->we can either use BBCODE or Markdown.

Unless it's an older custom BBCODE, or one exclusive to vB?

[PHP]

[php]<?php echo $foo; ?>[/php]

[THREAD]

[thread=10396261] this thread[/thread]

[NOPARSE]
[noparse] [exampleBBCodeTagforEducationalPurposes] [/noparse]

[MAN]
[man]ini_set[/man]

A few off the top of the head. Not sure any of them are terribly important, but since we can't edit ancient posts ...

please am new here and new to php pleas i am trying to print records from my database by using the search button and here is my code but am getting
Parse error: syntax error, unexpected T_IF in C:\wamp\www\Transcript\admin\search.php on line 2
<?php
2 if(isset($POST['submit'])){
{
5 $name=$POST['matno'];
6 //connect to the database
7 $db=mysql_connect ("localhost", "<root>", "<>") or die ('I cannot connect to the database because: ' . mysql_error());
8 $mydb=mysql_select_db("learndb");
$sql="SELECT matno, firstname, lastname,sex,address,DOB,level,dept,school,phone FROM student WHERE matno LIKE '%" . $name . "%' OR lastname LIKE '%" . $name ."%'";
$result=mysql_query($sql);
while($row=mysql_fetch_array($result)){
16 $firstname =$row['firstname'];
17 $lastname=$row['lastname'];
18 $MatNo=$row['matno'];
$sex=$row['sex'];
$address=$row['address'];
$DOB=$row['DOB'];
$level=$row['level'];
$dept=$row['department'];
$school=$row['school'];
$phone=$row['phone'];
19 //-display the result of the array
20 echo "<ul>\n";
21 echo "<li>" . "<a href=\"search.php?id=$ID\">" .$matno . " "."".$firstname."" . $lastname ."".$sex."".$address."".$DOB."".$level."".$dept."".$school."".$phonr. "</a></li>\n";
22 echo "</ul>";
}
5 else{
6 echo "<p>Please enter a search query</p>";
7 }
}
}
8 ?>

freduck <?php
2 if(isset($POST['submit'])){
{
5 $name=$POST['matno'];

Firstly, you should really start your own thread, rather than hijacking someone else's thread to ask an unrelated question.

Secondly, are those line numbers (?) actually in your source code? (If so, get rid of them.)

Thirdly, your code examples will be much easier for us to read if you use applicable BBCode or Markdown tags. (E.g., before and after you code block, type 3 back-tick (```) characters.)