-1

I am trying to add an apostrophe into a form which then saves to a Database, however the form will not save when the apostrophe is added.

This is my code:

           <?php

$abouttitle=$_POST[abouttitle];
$aboutcontent=$_POST[aboutcontent];
$aboutside=$_POST[aboutside];
$aboutsidetitle=$_POST[aboutsidetitle];  

  $con= mysql_connect("localhost","XXX","XXX");
  if (!$con) 
  {
   die('Could not connect: ' . mysql_error());
   }

   mysql_select_db("cl49-XXX", $con);
$result =   

$aboutcontent = mysql_real_escape_string($aboutcontent);
$abouttitle = mysql_real_escape_string($abouttitle);
$aboutside = mysql_real_escape_string($aboutside);
$aboutsidetitle = mysql_real_escape_string($aboutsidetitle); 

$query = "
UPDATE ADMIN
SET aboutcontent='$aboutcontent',
    abouttitle='$abouttitle',
    aboutside='$aboutside',
    aboutsidetitle='$aboutsidetitle'
");
$result = mysql_query($query);

when i add an apostrophe into the form to save it to the DB I get the below error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
Shane
  • 244
  • 1
  • 4
  • 17
  • You should escape your data. You're indirectly SQL injecting your self. Another single quotation is probably added and thus one is missing. It needs to be escaped. – Touch Sep 15 '13 at 13:01
  • You will need to escape any single quotes, `'`. `mysql_real_escape_string` will work although you should really be using a different database library to avoid SQL injection. – AlexP Sep 15 '13 at 13:02
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – andrewsi Sep 15 '13 at 15:02

2 Answers2

1

you need to escape your values from the php side use a function like

mysqli_real_escape_string if your using the mysqli extension or

mysql_real_escape_string if your using the mysql extension

DevZer0
  • 13,433
  • 7
  • 27
  • 51
1

Yes. Use mysql_real_escape_string before executing your query:

$aboutcontent = mysql_real_escape_string($aboutcontent);
$abouttitle = mysql_real_escape_string($abouttitle);
$aboutside = mysql_real_escape_string($aboutside);
$aboutsidetitle = mysql_real_escape_string($aboutsidetitle);

Once you've escaped the variables, you can execute your query:

$query = "
UPDATE ADMIN
SET aboutcontent='$aboutcontent',
    abouttitle='$abouttitle',
    aboutside='$aboutside',
    aboutsidetitle='$aboutsidetitle'
";
$result = mysql_query($query);

Sidenote: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Community
  • 1
  • 1
Amal Murali
  • 75,622
  • 18
  • 128
  • 150
  • I have added this code, See edited question. But i now get `Server Error`? – Shane Sep 15 '13 at 13:15
  • @Shane: [Turn on error reporting](http://stackoverflow.com/a/6575502/1438393) – Amal Murali Sep 15 '13 at 13:16
  • I have added this but still get `server error`? – Shane Sep 15 '13 at 13:23
  • @Shane: Oops. It was an extra bracket at the end of the MySQL query. I've edited the answer. But, if you have enabled error reporting, you should have seen the error message. – Amal Murali Sep 15 '13 at 13:26
  • Thanks, I have added the updated code, which removes the error. Now the form isnt saving any changes? – Shane Sep 15 '13 at 13:31
  • @Shane: That's not very descriptive. First of all, you should enable error reporting. Try to debug and find the error. Do a `print_r($_POST)` and see if you're getting the form inputs correctly. Also, try executing the MySQL query directly (in your terminal/shell/phpMyAdmin) and see if it works. If it does, it's probably something wrong in your script. – Amal Murali Sep 15 '13 at 13:33
  • Now i am very confused, i added this in and it showed everything correct however not updated the DB... – Shane Sep 15 '13 at 13:40