How do I make recognize apostrophes as text only?</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2015-07-05T05:24:47.787" class="fromnow">Jul 05 '15 at 05:24</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2015-07-05T06:09:16.390" datetime="2015-07-05T06:09:16.390">Jul 05 '15 at 06:09</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 1,094 times"> <span class="fc-light mr2">Viewed</span> 1,094 times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="31227410" data-ownerid="5071909" data-score="3"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="31227410"> <button class="js-vote-up-btn grid--cell s-btn s-btnunset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="3">3</div> <button class="js-bookmark-btn s-btn s-btnunset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value=""></div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>Quite simply, the 'texarea' on my website is like texting, it allows users to enter text and it's posted onto the page. I just found out that it treats the text as some sort of code, maybe SQL.</p> <p>When I typed in <strong>"Hello we're all fine"</strong>, the apostrophe in the word "we're" had caused some confusion.</p> <p>The error message displayed in the browser:</p> <pre><code>Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're all set')' at line 1 </code></pre> <p>Just in case you're wondering, here's the html :</p> <pre><code><form action="comi.php" method="post"> <textarea maxlength="227" type="text" name="input" cols="45" rows="4"></textarea> <input type="submit" value="POST" id="button" /> </form> </code></pre> <p>I thought that it may have something to do with the database, can anyone help?</p> <p>Thanks in advance :)</p></div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/php" class="post-tag js-gps-track" title="show questions tagged 'php'" rel="tag">php</a> <a href="../../questions/tagged/html" class="post-tag js-gps-track" title="show questions tagged 'html'" rel="tag">html</a> <a href="../../questions/tagged/sql" class="post-tag js-gps-track" title="show questions tagged 'sql'" rel="tag">sql</a> <a href="../../questions/tagged/forms" class="post-tag js-gps-track" title="show questions tagged 'forms'" rel="tag">forms</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="edited Jul 05 '15 at 05:38">edited Jul 05 '15 at 05:38</time> <a href="../../users/4779472/rohit-gupta" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/4779472.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Rohit Gupta" /> </a> <div class="s-user-card--info"> <a href="../../users/4779472/rohit-gupta" class="s-user-card--link">Rohit Gupta</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">4,022</li> <li class="s-award-bling s-award-blinggold" title="20 gold badges">20</li> <li class="s-award-bling s-award-blingsilver" title="31 silver badges">31</li> <li class="s-award-bling s-award-blingbronze" title="41 bronze badges">41</li> </ul> </div> </div> </div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="asked Jul 05 '15 at 05:24">asked Jul 05 '15 at 05:24</time> <a href="../../users/5071909/mini-sini-pi" class="s-avatar s-avatar32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/5071909.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Mini Sini Pi" /> </a> <div class="s-user-card--info"> <a href="../../users/5071909/mini-sini-pi" class="s-user-card--link">Mini Sini Pi</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">127</li> <li class="s-award-bling s-award-blingsilver" title="2 silver badges">2</li> <li class="s-award-bling s-award-bling__bronze" title="15 bronze badges">15</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-31227410" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="31227410" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-50454308" class="comment js-comment " data-comment-id="50454308" data-comment-owner-id="5071909" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment50454308_31227410"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">Sorry the first line should say : "Quite simply, the <textarea> on my website..." – Mini Sini Pi Jul 05 '15 at 05:26

Question

To prevent SQL -injection you should use Stored Procedures.

CREATE PROCEDURE saveText
    @textArea nvarchar(50)
AS 
SET NOCOUNT ON;

INSERT INTO myTable 
    (textArea)
VALUES
    (@textArea)

GO

This way, you will have no problems when you have a ' in your input.

score 1 · Answer 1 · answered Jul 05 '15 at 05:43

To prevent SQL -injection you should use Stored Procedures.

CREATE PROCEDURE saveText
    @textArea nvarchar(50)
AS 
SET NOCOUNT ON;

INSERT INTO myTable 
    (textArea)
VALUES
    (@textArea)

GO

This way, you will have no problems when you have a ' in your input.

score 0 · Answer 2 · answered Jul 05 '15 at 05:39

You need to escape the string that you have typed so that the sql engine does not get confused.

$input = $_POST["textarea"];
$safe_input = mysql_real_escape_string($input);

You need to use this in your sql statement.

WARNING

As others are trying to tell you, you are leaving yourself open to sql injection attacks. Once you have the above working , you should read up on it. There is a link in the comments above.

score 0 · Answer 3 · answered Jul 05 '15 at 06:09

0

$input = $_POST["textarea"]; $safe_input = addslashes($input);

answered Jul 05 '15 at 06:09

rapidRoll

300
1
9

No no no this is not going to protect anything – Jul 05 '15 at 07:14

3 Answers3