0

I have the following code to convert my UITextView text into an encoded NSString that I can insert into my database along with other stuff. The insert works perfectly fine except when there is a single quotation mark... then it doesn't work. When I NSLog the encoded NSString, the ' was not even converted into anything. So when it goes to do the web server request the url has the ' still in it which is causing it to fail... Why is the single quotation marks not getting encoded priorly? Here is my code (also I am not very good with php):

iOS:

NSString *encodedString = (NSString 
*)CFBridgingRelease(CFURLCreateStringByAddingPercentEscapes(
  NULL, (CFStringRef)self.textView.text,     NULL,  (CFStringRef)@"!*'();:@&=+$,/?%#[]",      kCFStringEncodingUTF8 ));          
  NSString *strURL = [NSString stringWithFormat:@"http://example.org/postText.php?thePost=%@&byUserID=%@&nickname=%@", encodedString, [UniqueUserIdentification getUserID], nickname];

php:

<?php

$con=mysqli_connect("editout","editout","editout","editout");    
if (mysqli_connect_errno())
{
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$thePost = $_GET["thePost"];
$byUserID = $_GET["byUserID"];
$nickname = $_GET["nickname"];

mysqli_query($con,"INSERT INTO MyTable
VALUES ('$thePost', '$byUserID', '$nickname', 0, 0)");    
mysqli_close($con);

?>
JohnyFonno
  • 31
  • 6
  • Instead of doing validation from the iOS app, why not move it to the PHP? You should be preparing/executing the query too. – Dave Chen Oct 28 '14 at 04:38
  • look at [**mysqli real escape string**](http://php.net/manual/en/mysqli.real-escape-string.php) – itachi Oct 28 '14 at 04:42
  • Tried adding this after my GET and it still does't work: $thePost = $mysqli->real_escape_string($thePost); – JohnyFonno Oct 28 '14 at 06:28
  • I got it. Thank you! Turns out I wasn't properly updating the php script so it wasn't even recognizing the new script XD – JohnyFonno Oct 28 '14 at 12:08

2 Answers2

0

Your SQL is wrong.

$thePost = $_GET["thePost"];

You assign $thePost with the GET data, but that is url decoded.

For example, $thePost is "Let's go!", so your SQL becomes:

INSERT INTO MyTable
VALUES ('Let's go', '$byUserID', '$nickname', 0, 0)"

Obviously there is a syntax error.

You need to escape the string with mysqli_real_escape_string.

And have a look at this post.

Community
  • 1
  • 1
Stackia
  • 2,110
  • 17
  • 23
-1

in client , it code ' to %27, it is correct. But in the server, your sql use wrong.urlencode

Feng Lin
  • 670
  • 4
  • 8
  • urlencode is applicable only for url. for other fields, it will make a messed up situation. parametrized query is the way to go. url isn't the only field he is inserting. – itachi Oct 28 '14 at 05:00
  • do you see his code, he encodes parameters too.Use the encode result to post to server.The server codes are wrong. – Feng Lin Oct 28 '14 at 05:05
  • ^and he is getting the error in the server. what does that tell ya? – itachi Oct 28 '14 at 05:08
  • ' in sql ,it has some meaning that represents a string quote.So the server can get value,but the code : mysqli_query($con,"INSERT INTO MyTable VALUES ('$thePost', '$byUserID', '$nickname', 0, 0)"); is wrong. – Feng Lin Oct 28 '14 at 05:17
  • print that sql , it may like this INSERT INTO MyTable VALUES(''fdsaf','32','fdsa',0,0) , it has multiply ' in the values ,so the database will say wrong.It should escape the ' in the sql string. – Feng Lin Oct 28 '14 at 05:30
  • exactly my point. the sql is right. he is just not escaping the strings. in DB, you escape quotes by parameterizing the query, not by urlencode. – itachi Oct 28 '14 at 05:37
  • This is server wrong at last.Server should use prepare sql to insert data.The client is right,escape the url paramter – Feng Lin Oct 28 '14 at 05:40