0

I have a page that displays the records created in a different area of the site. This page displays the records and allows the user to update the content. There's a textarea field that usually contains apostrophes (for example, We're, I've, It's ... etc).

The text field area is displayed with htmlentities:

<textarea name="deal_detail" cols="35" rows="2" id="details"><?php echo htmlentities($row_Recordset1['deal_detail'], ENT_COMPAT, ''); ?></textarea>

When I click save, it tries to update the record (Note: It saves it perfectly well if it doesn't have apostrophes).

        $updateSQL = sprintf("UPDATE deals SET deal_title=%s, deal_detail=%s, deal_image=%s, renov=%s  WHERE id_deals=%s",
            GetSQLValueString($_POST['deal_title'], "text"),
            GetSQLValueString($_POST['deal_detail'], "text"),
            GetSQLValueString($_POST['deal_image'], "text"),
            GetSQLValueString($renov, "int"),
            GetSQLValueString($_POST['id_deals'], "int"));

I've tried moving the $_POST[deal_detail] to a variable, using htmlspecialchars and mysqli_real_escape_string before updating, but nothing happens, I keep getting the same usual error when it tries to update because it recognizes the apostrophe as part of the code, not the text.

I've read like 50 different posts here about similar questions or info, but nothing seems to work. I wonder if using htmlentities affects ...

luisdb
  • 1
  • 1
    Why don't you use `bind_param`? – Barmar Dec 20 '14 at 01:22
  • I thought you use `htmlentities` when you echo the value as an element attribute. Are you sure you need it for a `textarea`? A `textarea` element is not like an `input ype text` element. It wraps text. In other words, this is a problem: `` while this is not: ``. – Verhaeren Dec 20 '14 at 01:23
  • 1
    Using `mysqli_real_escape_string` should work. You also need to put the string values into quotes in the SQL. – Barmar Dec 20 '14 at 01:23
  • @Verhaeren You need it to prevent a problem if the value contains ``, since that will end the area. – Barmar Dec 20 '14 at 01:25
  • What is `GetSQLValueString`? – Barmar Dec 20 '14 at 01:25
  • @Barmar He'es talking about apostrophe, what are you talking about ``?. – Verhaeren Dec 20 '14 at 01:26
  • @Verhaeren The problem he's having with storing into the database is unrelated to the reason why `htmlentities` is correct to use in `` – Barmar Dec 20 '14 at 01:29
  • Are you using the `GetSQLValueString` function from DreamWeaver, that's described here: http://stackoverflow.com/questions/4458180/php-getsqlvaluestring-function ? The problem with that function is that it's designed to work with the mysql extension, not mysqli (unless it's been enhanced since that question was written). – Barmar Dec 20 '14 at 01:31
  • Are you reading the same question that I'm reading? OMG I'm out. Gee this 10k+ guys are never wrong. – Verhaeren Dec 20 '14 at 01:32
  • Ok ... I'm lost. @Barmar, yes, I'm using the GetSQLValueString from Dreamweaver. – luisdb Dec 20 '14 at 10:20
  • Here's the line with the mysqli I tried to use before the insert or update: $dealdetail = mysqli_real_escape_string($admin_buy_local, $_POST['deal_detail']); I noticed that the variable $dealdetail is null once I try to insert or update the value. So, as @Barmar mentioned, that could be the problem (or at least, part of it) since you said using mysqli_real_escape_string should work. – luisdb Dec 20 '14 at 10:23
  • Sorry @Barmar, I was wrong, I'm not using GetSQLValueString from Dreamweaver. Here's the function added: if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; } $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; . . . } return $theValue; } } – luisdb Dec 20 '14 at 10:33
  • That looks like the function in the question I linked to. It uses functions from the `mysql` extension, but you shouldn't use them if you're using `mysqli`. Don't use that function. – Barmar Dec 21 '14 at 05:15

1 Answers1

0

OK, I just added a function found on the PHP manual and it helped me to solve it.

    function safe($admin_buy_local) {
    return mysql_real_escape_string($admin_buy_local);
}

And then when I insert or update, I just move the text to the function and save it in a variable.

$deal_detail=safe($_POST['deal_detail']);

It saves the data using a \ next to the apostrophes.

My issue now is displaying the saved data in mysql without the "\". I assume I will have to use htmlspecialchar() but I need to check how.

luisdb
  • 1
  • You shouldn't be using `mysql` functions if you're using the `mysqli` extension. You should use `mysqli_real_escape_string. But it would be ever better if you used prepared statements. Why keep using obsolete mechanisms? – Barmar Dec 21 '14 at 05:16