0

I have a textarea and the user can type in single quotes and double quotes, but before I insert this data in the database, I would like to replace the quotes with \' and double quotes \" I tried to do the following:

$_POST = str_replace("'", "\'", $_POST);
$_POST = str_replace(""", "\"", $_POST);

when I run this, I just get a blank screen no errors, am i doing this wrong?

user3723240
  • 395
  • 3
  • 11
  • 29
  • 2
    Is this an attempt to avoid SQL Injections? If that is the case, you should read: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – chrisp Jul 22 '14 at 20:41
  • Even stackoverflow highlight detects an error. – zerkms Jul 22 '14 at 20:41
  • I tried using mysql_real_escape_string but it just inserts empty data – user3723240 Jul 22 '14 at 20:42
  • This `"'", "\'"` in your `("'", "\'", $_POST)` will only replace it for the same thing `'` for `'`, so you can do `("'", "", $_POST)` instead, then replace `(""", "\"", $_POST)` with `"\"", "", $_POST)` which will replace `"` for nothing. This is an answer to your posted code, besides the answers given below, should you still feel keen on using what you were working on. – Funk Forty Niner Jul 22 '14 at 20:49

4 Answers4

2

You really shouldn't do it. You should use PDO and prepared statements or at least mysqli and mysqli_real_escape_string. Using addslashes to insert data to database it's very bad idea.

EDIT

And you shouldn't use mysql functions (I see you tried in your question comment) because they are deprecated already. Use mysqli functions if you don't want to use PDO

Marcin Nabiałek
  • 109,655
  • 42
  • 258
  • 291
  • mysqli_real_escape_string also doesn't work, it just inserts empty data :( – user3723240 Jul 22 '14 at 20:46
  • @user3723240 You need to create mysqli connection first and pass correct parameters when you use this function – Marcin Nabiałek Jul 22 '14 at 20:47
  • I am connecting via mysqli_connect – user3723240 Jul 22 '14 at 20:48
  • how would I add a prepare statement here `$sql = "INSERT INTO `awards` (title, description, image) VALUES ('" . mysqli_real_escape_string($title) . "', '" . $description . "', '" . $image . "')"; if (!mysqli_query($connection,$sql)) { die('Error: ' . mysqli_error($connection)); }else{ echo 'Award has been inserted
    '; }`     – user3723240 Jul 22 '14 at 20:49
  • @user3723240 You should look at http://php.net/manual/en/mysqli.quickstart.prepared-statements.php in case of mysqli or http://php.net/manual/en/pdo.prepared-statements.php (in case of PDO) – Marcin Nabiałek Jul 22 '14 at 20:56
0

$_POST is an array and you can't use string replacement functions for that. You have to do it directly on the fields themself, for example at $_POST['name']

Stefan
  • 1,248
  • 6
  • 23
0

Just use mysql_real_escape_string, and trying to perfom string operation on super global variable... not a good idea (in case you don't know these variable are array)

Bastien Saro Chassetuillier
  • 144
  • 8
0

Why u dont use:

mysqli_real_escape_string
JuJoGuAl
  • 117
  • 1
  • 15