trouble with insert query...data with special characters not getting inserted

Question

i have a filed in my database...the datatype is LONGTEXT

my insert query is :

        if(isset($_POST['submit'])){
     $sql='INSERT INTO `tb_mansi` (`referrence`) VALUES ("'.$_POST["legis"].'")';

    if (!mysql_query($sql, $con))
   {
  die('Error: ' . mysql_error());
   }
   echo "1 record added";

   }

now when i am inserting data it is showing errors like with data like childs's or "rena"...means its giving error with data that contains double quotes...or "'" i tried to insert this data

"

Indira Nehru Gandhi v. Raj Narain, AIR 1975 SC 2299; 
Seshan, CEC of India v. Union of India and ors., (1995) 4 SCC 611;
 Kuldip Nayar v. Union of India & Ors., AIR 2006 SC 3127; 
People's Union for Civil Liberties and another v. Union of India and another, (2013) 10 SCC 1; 
Mohinder Singh Gill and another v. Chief Election Commissioner, New Delhi and others, (1978) 1 SCC 405; 
Raghbir Singh Gill v. S. Gurcharan Singh Tohra, AIR 1980 SC 1362; 
Union of India v. Association for Democratic Reforms and another, (2002) 5 SCC 294;
 Dinesh Trivedi, M.P. and others v. Union of India and others, (1997) 4 SCC 306; Anukul Chandra Pradhan, Advocate Supreme Court v. Union of India and others, (1997) 6 SCC 1;
 K. Prabhakaran v. P. Jayarajan, AIR 2005 SC 688;
 Niranjan Hemchandra Sashittal and another v. State of Maharashtra, (2013) 4 SCC 642;
 Dr. Subramanian Swamy v. Director, Central Bureau of Investigation & Anr., Writ Petition (Civil) No. 38 of 1997 etc. pronounced on May 06, 2014; 
Lily Thomas v. Union of India and others, (2013) 7 SCC 653; 
His Holiness Kesavananda Bharati Sripadagalvaru v. State of Kerala and another, (1973) 4 SCC 225; 
Centre for PIL and another v. Union of India and another, (2011) 4 SCC 1; N.Kannadasan v. Ajoy Khose and others, (2009) 7 SCC 1;
Inderpreet Singh Kahlon v. State of Punjab, (2006) 11 SCC 356; Arun Kumar Agarwal v. Union of India, (2014) 2 SCC 609;
 State of Punjab v. Salil Sabhlok and others, (2013) 5 SCC 1 and Centre for Public Interest Litigation and another v. Union of India and another, (2005) 8 SCC 20

2; but the error i am getting is :

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0CGEQ_xc" style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; color: r' at line 1

can anyone help me with this ....

Use [`mysql_real_escape_string()`](http://php.net/mysql-real-escape-string) for `$_POST["legis"]` — BlitZ, Aug 29 '14 at 07:19
[Please, don't use `mysql_*` functions](http://stackoverflow.com/q/12859942/1190388) in new code. They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about prepared statements instead, and use [tag:PDO] or [tag:MySQLi]. — hjpotter92, Aug 29 '14 at 07:20
I really hope this is just a school project and not work related, else the security loopholes will cost you big time — asprin, Aug 29 '14 at 07:24
no this is a work related project...what's the problem with it?? — user3914210, Aug 29 '14 at 07:26
@user3914210 SQL Injection is easy here! :) - aswell your still using mysql_ instead of mysqli_ or pdo — Xatenev, Aug 29 '14 at 07:29
sir could you please tell a good link for injections as i have not worked with injections yet — user3914210, Aug 29 '14 at 07:32
Most seen stackoverflow thread i guess: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php | Basically people can use `$_POST['legis']` for their purposes - It might have a value like : `apple';DROP DATABASE` -> then you write that into your database without checking for its contents and boom, your database is dead. — Xatenev, Aug 29 '14 at 08:36
is it right and safe to use parameterized queries like this one $unsafe_variable = $_POST["legis"]; $stmt = $mysqli->prepare("INSERT INTO tb_mansi (referrence) VALUES (?)"); // TODO check that $stmt creation succeeded // "s" means the database expects a string $stmt->bind_param("s", $unsafe_variable); $stmt->execute(); $stmt->close(); $mysqli->close(); — user3914210, Aug 29 '14 at 09:31

score 1 · Answer 1 · answered Aug 29 '14 at 07:24

You have to use mysql_escape_string() to escape special characters

Use this code

 if(isset($_POST['submit'])){
     $sql='INSERT INTO `tb_mansi` (`referrence`) VALUES ("'.mysql_escape_string($_POST["legis"]).'")';

    if (!mysql_query($sql, $con))
   {
  die('Error: ' . mysql_error());
   }
   echo "1 record added";

   }

NB: It is better to use mysqli or pdo instead of mysql since mysql is officially deprecated since PHP 5.5

trouble with insert query...data with special characters not getting inserted

1 Answers1