#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    5
    Rep Power
    0

    Problems insert strings ' or ', ' and '


    Hi,
    when I try to insert a values like

    PHP Code:
    'test test or test test' 
    into MySQL table the page doesn't work. The problem are the ' or ' part of the string.
    If I remove it all works. The problem are present also with phpmyadmin when I try to execute this sql:

    PHP Code:
    update tblTest set Value='test test or test test' where Key=
    I think this is a PHP or MySQL configuration's problem.

    Any idea?

    thanks,
    nicola.
  2. #2
  3. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,396
    Rep Power
    9645
    mysql_real_escape_string. Learn it. Use it. Love it.

    Platonically, of course.

    Comments on this post

    • IkoTikashi agrees : lol
    • Winters agrees : Escape my string.. for real, mysql.
  4. #3
  5. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2006
    Location
    Hindustan
    Posts
    1,121
    Rep Power
    1312
    OR is a reserved word in MySQL which is the reason your query is not working. mysql_real_escape_string() escapes special characters in a string for use in a SQL statement.
    Trimbak D. Bankar.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    5
    Rep Power
    0
    If I use mysql_real_escape_string(), I have to use addslashes() too or not?

    Thanks a lot!
  8. #5
  9. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2006
    Location
    Hindustan
    Posts
    1,121
    Rep Power
    1312
    No need.

    Comments on this post

    • b3n agrees
    Trimbak D. Bankar.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    5
    Rep Power
    0
    Excuse me, and what about htmlspecialchars? I have to use both functions?

    The right way to save string data from a form, into DB MySQL is

    PHP Code:
    htmlspecialchars(mysql_real_escape_string($TEXT1)) 
    ?
  12. #7
  13. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2006
    Location
    Hindustan
    Posts
    1,121
    Rep Power
    1312
    Why use htmlspecialchars() when saving data to database?
    You can always use it when you are pulling data from database to be displayed.
    Trimbak D. Bankar.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    5
    Rep Power
    0
    I get some data from an WYSIWYG box.

    The string I get from form contains some HTML tags.

    Before saving data into DB I apply htmlspecialchars().

    Is a wrong operation?
  16. #9
  17. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2006
    Location
    Hindustan
    Posts
    1,121
    Rep Power
    1312
    No need to use htmlspecialchars() when storing data in database.

    Comments on this post

    • b3n agrees
    Trimbak D. Bankar.
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Location
    Glendale AZ
    Posts
    230
    Rep Power
    96
    Originally Posted by tbankar
    Why use htmlspecialchars() when saving data to database?
    You can always use it when you are pulling data from database to be displayed.
    It took a few emails on the WD list for me to understand how to really secure things. And this was one of the lessons learned. Under most circumstances you don't try to "pre-clean" your data/input. Escape data for insertion into a database (mysql_real_escape_string) and then for display (htmlspecialchars). No need to do anything until you need to. Once I figured that out it made things easier...

    Comments on this post

    • requinix agrees
  20. #11
  21. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,396
    Rep Power
    9645

    and bumped


    Originally Posted by big0mike
    Under most circumstances you don't try to "pre-clean" your data/input. Escape data for insertion into a database (mysql_real_escape_string) and then for display (htmlspecialchars). No need to do anything until you need to.
    Quoted for emphasis.

IMN logo majestic logo threadwatch logo seochat tools logo