18

Can anyone tell me how to insert special characters into a MySQL database? I've made a PHP script which is meant to insert some words into a database, although if the word contains a ' then it wont be inserted.

I can insert the special characters fine when using PHPmyAdmin, but it just doesn't work when inserting them via PHP. Could it be that PHP is changing the special characters into something else? If so, is there a way to make them insert properly?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Joey Morani
  • 25,431
  • 32
  • 84
  • 131

13 Answers13

32
$insert_data = mysql_real_escape_string($input_data);

Assuming that you have the data stored as $input_data

Anthony
  • 36,459
  • 25
  • 97
  • 163
12

Are you escaping? Try the mysql_real_escape_string() function and it will handle the special characters.

zaf
  • 22,776
  • 12
  • 65
  • 95
  • +1 for beating me to it. I've found I get more votes when I use the backtick to format my inline code, if that helps. – Anthony Apr 06 '10 at 11:23
  • 1
    Sympathy upvote since you answered first but didn't give an example. As if this was a question that couldn't have been answered faster using PHP.net – dscher Apr 06 '10 at 12:35
  • @dscher Thanks! If there were only more people like you! ;) – zaf Apr 06 '10 at 12:52
  • @zaf Two years later and I want to apologize. :P At the time I was stupid and a total noob to PHP. When I saw Anthony's answer with a code example I immediately checked it as the answer without even looking at yours because it required less effort. I know better now, so again sorry. :) – Joey Morani Oct 19 '12 at 12:02
  • 1
    @JoeyMorani Thats alright and thanks for the message. You're not a noob anymore. – zaf Oct 19 '12 at 14:05
6

You are most likely escaping the SQL string, similar to:

SELECT * FROM `table` WHERE `column` = 'Here's a syntax error!'

You need to escape quotes, like follows:

SELECT * FROM `table` WHERE `column` = 'Here\'s a syntax error!'

mysql_real_escape_string() handles this for you.

Paul Lammertsma
  • 37,593
  • 16
  • 136
  • 187
6

use mysql_real_escape_string

So what does mysql_real_escape_string do?

This PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. The important part is that the single and double quotes are escaped, because these are the characters most likely to open up vulnerabilities.

Please inform yourself about sql_injection. You can use this link as a start

Peter Parker
  • 29,093
  • 5
  • 52
  • 80
  • 1
    Yet another stupid article whose author has no clue. The same old story about drop tables (good to scare newbies, yes, but never work though), same stupidQuery function that look after magic quotes. And not a word about non-string values, as usual. and greatest protaction of $badWords ever – Your Common Sense Apr 06 '10 at 10:35
  • ok, it is not the best article, but it should familiarize with the basics(I digged it from a fast google search) You can give a link to a better article if you have. – Peter Parker Apr 06 '10 at 10:46
  • Well I wrote some, it the form of SO answer. http://stackoverflow.com/questions/2589820/is-it-necessary-to-use-mysql-real-escape-string-when-magic-quotes-gpc-is-on – Your Common Sense Apr 07 '10 at 05:12
5

You are propably pasting them directly into a query. Istead you should "escape" them, using appriopriate function - mysql_real_escape_string, mysqli_real_escape_string or PDO::quote depending on extension you are using.

3

Note that as others have pointed out mysql_real_escape_string() will solve the problem (as will addslashes), however you should always use mysql_real_escape_string() for security reasons - consider:

SELECT * FROM valid_users WHERE username='$user' AND password='$password'

What if the browser sends

user="admin' OR (user=''"
password="') AND ''='"

The query becomes:

SELECT * FROM valid_users 
WHERE username='admin' OR (user='' AND password='') AND ''=''

i.e. the security checks are completely bypassed.

C.

symcbean
  • 47,736
  • 6
  • 59
  • 94
2

Probably "mysql_real_escape_string()" will work for u

OM The Eternity
  • 15,694
  • 44
  • 120
  • 182
0
$var = mysql_real_escape_string("data & the base");
$result = mysql_query('SELECT * FROM php_bugs WHERE php_bugs_category like  "%' .$var.'%"');
kleopatra
  • 51,061
  • 28
  • 99
  • 211
amarjit singh
  • 463
  • 5
  • 14
0

Use this: htmlentities($_POST['field']);

Enough only. This for special character:

Use for CI htmlentities($this->input->post('control_name'));

Gynteniuxas
  • 7,035
  • 18
  • 38
  • 54
Soyab Badi
  • 400
  • 6
  • 17
0

For Example:
$parent_category_name = Men's Clothing
Consider here the SQL query

$sql_category_name = "SELECT c.*, cd.name, cd.category_id  as iid FROM ". DB_PREFIX . "category c LEFT JOIN " . DB_PREFIX . "category_description cd ON (c.category_id = cd.category_id) WHERE cd.name = '" .  $this->db->escape($parent_category_name) . "' AND c.parent_id =0 ";

Error:

Static analysis:

1 errors were found during analysis.

Ending quote ' was expected. (near "" at position 198)
SQL query: Documentation

SELECT c.*, cd.name, cd.category_id as iid FROM oc_category c LEFT JOIN oc_category_description cd ON (c.category_id = cd.category_id) WHERE cd.name = 'Men's Clothing' AND c.parent_id =0 LIMIT 0, 25

MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Clothing' AND c.parent_id =0 LIMIT 0, 25' at line 1

Try to implement:

$this->db->escape($parent_category_name)

The above method works on OpenCart framework. Find your framework & implement OR mysql_real_escape_string() in Core PHP

This will become Men\'s Clothing i.e, In my case

$sql_category_name = "SELECT c.*, cd.name, cd.category_id  as iid FROM ". DB_PREFIX . "category c LEFT JOIN " . DB_PREFIX . "category_description cd ON (c.category_id = cd.category_id) WHERE cd.name = '" .  $this->db->escape($parent_category_name) . "' AND c.parent_id =0 ";

So you'll get the clear picture of the query by implementing escape() as

SELECT c.*, cd.name, cd.category_id as iid FROM oc_category c LEFT JOIN oc_category_description cd ON (c.category_id = cd.category_id) WHERE cd.name = 'Men\'s Clothing' AND c.parent_id =0
Nɪsʜᴀɴᴛʜ ॐ
  • 2,756
  • 4
  • 33
  • 57
0

htmlspecialchars function is the best solution fellows. Today I was searching for how to insert strings with special characters and the google thrown so many Stackoverflow listings.None of them provided me solution. I found it in w3schools page. Yes I could solve my problem by using this function like this:

$abc = $POST['xyz'];

$abc = htmlspecialchars($abc);
Pierre.Vriens
  • 2,117
  • 75
  • 29
  • 42
Solomon Sudhir
  • 1
0

I put it here for future reference. After wasting 20 minutes i got a solution to put special characters to database. we do not have to use mysql_real_escape_string($holdvalue) like that. we have to do this in this way. $db->real_escape_string($holdvalue). Where $db is the databse connection details. $db = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);.

xcoders
  • 1
  • 1
  • 4
0

$insert_data = addslashes($_POST['username']);

You can use this method.

Santhosh
  • 1
  • 3