Free Web Developer Tools
Advanced Search

Thread: Double quotes inserts in MySql

    February 12th, 2013, 11:28 AM
    #1
  1. No Profile Picture
    eropsy
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    10

    Double quotes inserts in MySql

    HI,

    Does anyone know how to get double quotes to insert into database?

    I use
    PHP Code:
    $writer_thought mysql_real_escape_string($writer_thought); 
    But it only works for the single quotes. All double quotes and everything in between are not inserted.

    Thanks for you help.

    Oh and the ini.php magic quotes are turned off already.
    2. February 12th, 2013, 11:33 AM
    #2
  2. No Profile Picture
    gw1500se
    Contributing User
    Devshed Specialist (4000 - 4499 posts)
    Join Date
    Jul 2003
    Posts
    4,418
    Rep Power
    631
    You need to escape them by putting \ in front. However, I question why you are using 'mysql_real_escape_string'. That implies you are trying to use the deprecated MySQL extensions rather than PDO. If so you need to change that, then you use prepared statements instead.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
    3. February 12th, 2013, 01:12 PM
    #3
  3. Nanomech's Avatar
    Nanomech
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Send a message via Skype™ to Nanomech
    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    300
    Rep Power
    12
    Use prepared statements, you can leave the input exactly as it is and you won't get an error due to double quotes corrupting the query string, no need for escaping the quotations.

    Regards,

    NM.
    Last edited by Nanomech; February 12th, 2013 at 01:18 PM.
    @TSPV_Websites
    4. February 12th, 2013, 01:25 PM
    #4
  4. Jacques1's Avatar
    Jacques1
    --
    Devshed Expert (3500 - 3999 posts)
    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    Hi,

    as much as I agree regarding the prepared statements, this has nothing to do with the OP's question.

    mysql_real_escape_string does escape quotes, that's exactly its purpose. So if there's a problem specifically with double quotes, there's clearly something wrong with either the input or the surrounding code. It might be a good idea to find that out.


    @eropsy:

    Please post your full query code, make a var_dump() of $writer_thought (before you call mysql_real_escape_string) and echo the query string.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
    5. February 12th, 2013, 01:35 PM
    #5
  5. No Profile Picture
    eropsy
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    10
    Well the single quotes insert no problem. The code

    $writer_thought = mysql_real_escape_string($writer_thought);

    $sql = "INSERT INTO $table (writer_thought,
    ....)

    VALUES ('$writer_thought,
    .....
    )";

    When I echo' <td> '. STRIPSLASHES(TRIM($writer_thought)).' </td> ';
    both the double quotes and single quotes show's alright.

    The problem is on the insert to MySQL


    Jaques maybe right about the surrounding codes. I'm in the process of sniffing out what it is.


    Thanks Everyone!
    6. February 12th, 2013, 02:19 PM
    #6
  6. No Profile Picture
    eropsy
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    10

    Problem solved

    Well, all it was was that somehow I managed to accidentall delete the

    $writer_thought = stripslashes(TRIM($writer_thought));

    In the form....

    Everything is working now.
    7. February 12th, 2013, 08:14 PM
    #7
  7. Jacques1's Avatar
    Jacques1
    --
    Devshed Expert (3500 - 3999 posts)
    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1017
    That makes no sense. Why did you call stripslashes, anyway? You said you have turned magic quotes off.

    But I guess since it's "working" now, the problem is done for you. However, do not forget what gw1500se and Nanomech said about prepared statements. Just because you got the code "working" somehow doesn't mean it's actually secure.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
    8. February 12th, 2013, 09:47 PM
    #8
  8. No Profile Picture
    eropsy
    Contributing User
    Devshed Newbie (0 - 499 posts)
    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    10
    No idea why stripslashes are needed with Magic quotes turned off..
    I'm in a learning phase still. Wouldnt be able to tell you why.
    I'll have look into it. Prepared statements, security and all...
« Previous Thread | Next Thread »
IMN logo majestic logo threadwatch logo seochat tools logo