0

If I try to save some text on my db I'm getting an error.

lets say this:

$name = "Bob's Pizzaria";
$description = "<b>tes, just test</b>"; // also color, size formats

when I save to the database I use this:

$A_Name = mysql_real_escape_string($_REQUEST["name"]);
$A_Desc = mysql_real_escape_string($_REQUEST["description"]);

then insert into the database.

I get an error on $A_Name because there is an apostrophe ( ' )

and on the description it doesn't retain the text format like bold, color, size etc.

What is the best or right way to do this?

pb2q
  • 58,613
  • 19
  • 146
  • 147
Alvaro Louzada
  • 433
  • 1
  • 6
  • 23
  • 2
    No more mysql_ please, use `mysqli_` functions or PDO instead. – akluth Apr 25 '13 at 14:30
  • 1
    What's the insert query look like? – AbsoluteƵERØ Apr 25 '13 at 14:31
  • 1
    if you're getting an error on a quote, then you didn't escape right, or are using the unescaped copy in your query. mysql will **NOT** strip html, or remove "bold", "color", "size", etc... That's not mysql's job, and it couldn't care less what you're storing in it, as long as the query you're using to do it is syntactically correct. – Marc B Apr 25 '13 at 14:32
  • 1
    First, note @akluth's comment. Have you called `mysql_connect()` before `mysql_real_escape_string()` ? – hek2mgl Apr 25 '13 at 14:32
  • As about the HTML tags... Why do you ask for HTML in the first place if you need plain text? – Álvaro González Apr 25 '13 at 14:33
  • 1. The mysql_* functions are deprecated. Use mysqli or PDO instead. 2. Use parameterized queries (prepared statements). – daiscog Apr 25 '13 at 14:39

2 Answers2

0

Replace ' with '

str_replace("'","&apos;",$name);
Sudo Reboot
  • 220
  • 2
  • 11
0

you could do the following if that's the only problem you're having 

$clean_name = str_replace("'", '&apos;', $name);

This will simply convert your apostrophe into an HTML ISO-8859-1 Reference

Curtis Crewe
  • 4,126
  • 5
  • 26
  • 31