Insert values containing special characters into MySQL database

Question

I'm currently trying to setup a comment system with TinyMCE, it's all working with normal characters and PHP tags and so on. But when I comment with this ed o'neill, it just inserts an empty row in my db.

I have htmlspecialchars and mysqli_real_escape_string on the input from my form.

How can I fix the empty row insert?

$post_content = $_POST['post_content'];
                        //$post_content = htmlspecialchars($post_content);
                        //$post_content = mysqli_real_escape_string($post_content);

Its 2014, Really better use a modern library for working with Mysql or look @ PDO — Ahmad, May 27 '14 at 07:23
[**Always use contextual escaping.**](http://stackoverflow.com/a/23076661/1438393). `htmlspecialchars` has nothing to do here — it's for preventing XSS attacks. You only need to escape the special characters alone. For that, either use `m_r_e_s()` **alone** or use prepared statements (preferred option). — Amal Murali, May 27 '14 at 07:25
Im stil "new" to php, what do you mean with prepared statement? like OOP ? or — kristian, May 27 '14 at 07:27
you have commented some of your code and mysqli_real_escape_string requires 2 parameters `string mysqli_real_escape_string ( mysqli $link , string $escapestr )` — Rakesh Shetty, May 27 '14 at 07:29
[**Right here => read up on prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) — Funk Forty Niner, May 27 '14 at 07:30
I forgot the database connection in the escape string.. :) Will def read on prepared statements. Thank you so much — kristian, May 27 '14 at 07:34
FYI: Using `mysqli_real_escape_string()` alone won't guarantee that an apostrophe won't show up as `\'` in DB. Include `stripslashes()` as well. — Funk Forty Niner, May 27 '14 at 07:42
@Fred-ii- It will guarantee that "ed o'neill" is saved as `ed o'neill`. Slashes are irrelevant to any SQL portion of the problem. — user2864740, May 27 '14 at 07:43
@user2864740 Sorry but I beg to differ. I say this from experience. — Funk Forty Niner, May 27 '14 at 07:43
@Fred-ii- Then defend the position: ***How*** are slashes relevant to the SQL *data*? (The *data* is not necessarily a valid SQL *string literal*.) — user2864740, May 27 '14 at 07:44

Tom · Answer 1 · 2014-05-27T07:33:51.483

3

Take a look at prepared statements, it will do all the escaping for you

EDIT: Here's the link to the PHP manual, courtesy of Fred -ii-

edited May 27 '14 at 07:33

answered May 27 '14 at 07:28

Tom

648
3
9

You mean [**like this?**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Funk Forty Niner May 27 '14 at 07:28
That's what i mean yeah – Tom May 27 '14 at 07:30
*Ahh*, I thought so ;-) – Funk Forty Niner May 27 '14 at 07:31

score 2 · Accepted Answer · answered May 27 '14 at 07:38

You have commented some of your code but mysqli_real_escape_string requires 2 parameters see for more information here

string mysqli_real_escape_string ( mysqli $link , string $escapestr );

Your code should be :

$post_content = mysqli_real_escape_string($connection,$post_content); //$connection should be your database connection string

Insert values containing special characters into MySQL database

2 Answers2

Linked