#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    7

    Double quotes inserts in MySql


    HI,

    Does anyone know how to get double quotes to insert into database?

    I use
    PHP Code:
    $writer_thought mysql_real_escape_string($writer_thought); 
    But it only works for the single quotes. All double quotes and everything in between are not inserted.

    Thanks for you help.

    Oh and the ini.php magic quotes are turned off already.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,622
    Rep Power
    595
    You need to escape them by putting \ in front. However, I question why you are using 'mysql_real_escape_string'. That implies you are trying to use the deprecated MySQL extensions rather than PDO. If so you need to change that, then you use prepared statements instead.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    300
    Rep Power
    9
    Use prepared statements, you can leave the input exactly as it is and you won't get an error due to double quotes corrupting the query string, no need for escaping the quotations.

    Regards,

    NM.
    Last edited by Nanomech; February 12th, 2013 at 02:18 PM.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    as much as I agree regarding the prepared statements, this has nothing to do with the OP's question.

    mysql_real_escape_string does escape quotes, that's exactly its purpose. So if there's a problem specifically with double quotes, there's clearly something wrong with either the input or the surrounding code. It might be a good idea to find that out.


    @eropsy:

    Please post your full query code, make a var_dump() of $writer_thought (before you call mysql_real_escape_string) and echo the query string.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    7
    Well the single quotes insert no problem. The code

    $writer_thought = mysql_real_escape_string($writer_thought);

    $sql = "INSERT INTO $table (writer_thought,
    ....)

    VALUES ('$writer_thought,
    .....
    )";


    When I echo' <td> '. STRIPSLASHES(TRIM($writer_thought)).' </td> ';
    both the double quotes and single quotes show's alright.

    The problem is on the insert to MySQL


    Jaques maybe right about the surrounding codes. I'm in the process of sniffing out what it is.


    Thanks Everyone!
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    7

    Problem solved


    Well, all it was was that somehow I managed to accidentall delete the

    $writer_thought = stripslashes(TRIM($writer_thought));


    In the form....

    Everything is working now.
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    That makes no sense. Why did you call stripslashes, anyway? You said you have turned magic quotes off.

    But I guess since it's "working" now, the problem is done for you. However, do not forget what gw1500se and Nanomech said about prepared statements. Just because you got the code "working" somehow doesn't mean it's actually secure.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2008
    Posts
    51
    Rep Power
    7
    No idea why stripslashes are needed with Magic quotes turned off..
    I'm in a learning phase still. Wouldnt be able to tell you why.
    I'll have look into it. Prepared statements, security and all...

IMN logo majestic logo threadwatch logo seochat tools logo