0

I have an input field named "eventName". everytime I will put single quote (e.g uncle's birthday) it won't be inserted to the database. I mean no data at all will be posted to database. the system will just say that the event was saved but no data is being stored in the database.

colt_25
  • 1
  • 2
  • 2
    provide your php code that insert the data – Mayank Pandeyz Nov 14 '16 at 05:41
  • show your code. And try ti print your query and try to execute it manually in phpmyadmin. then you came to know the error. Actually if a single quotes come in between in a query . it actually execute the first part. and produce the error. That is single quotes divides your query into two parts . if you print your query you can see that. Alternatively you can use the html character to save the single quotes into database. while retrieving it automatically shows the single quotes. – Pranav MS Nov 14 '16 at 05:53
  • Hi, here's the code. $insert = mysql_query("INSERT INTO `roomschedule`(`EventID`,`EventID_recur`, `EventName`, `Date`, `StartTime`, `EndTime`, `Organizer`, `ApprovedBy`, `Saved`, `MeetingType`, `Privacy`) VALUES ('".$EventID."','1', '".$eventName."', '".$date."', '".$startTime."', '".$endTime."', '".$_SESSION['username']."', '', '".date('Y-m-d H:i:s')."', '".$roomType."','".$Visibility."')") or die("Could not insert error: ".mysql_error()); – colt_25 Nov 14 '16 at 06:03
  • BEWARE: Your code is vunerable to SQL injection. Look at this answer for help escaping: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Marinus Nov 14 '16 at 06:26

3 Answers3

1

You need to escape the single quote. The escape character used in this case of a '\', you can use inbuilt functions like mysqli_escape_string or add-slashes.

When you add a single quote in a variable and add it to a query, this will change your query by considering the single quote as a comment. e.g

Insert into Table ('name') values ('uncle's birthday');

Your query got ended at uncle and the part after that won't be considered, essentially this would result in failure. You should check what the error code as well depending on which database you are using.

Update:

$eventName = add_slashes($_POST['eventName']);

uday8486
  • 1,203
  • 2
  • 13
  • 22
  • Hi uday8486, I got no error in response, the system continues to its flows , it just that it doesn't save the info. – colt_25 Nov 14 '16 at 06:07
  • Hi #uday8486 here's the code. $eventName = $_POST['eventName']; $insert = mysql_query("INSERT INTO `roomschedule`(`EventID`,`EventID_recur`, `EventName`, `Date`, `StartTime`, `EndTime`, `Organizer`, `ApprovedBy`, `Saved`, `MeetingType`, `Privacy`) VALUES ('".$EventID."','1', '".$eventName."', '".$date."', '".$startTime."', '".$endTime."', '".$_SESSION['username']."', '', '".date('Y-m-d H:i:s')."', '".$roomType."','".$Visibility."')") or die("Could not insert error: ".mysql_error()); – colt_25 Nov 14 '16 at 06:15
  • and here is for the html
    – colt_25 Nov 14 '16 at 06:18
  • check updated answer, change the way $eventName is assigned with POST value. – uday8486 Nov 14 '16 at 06:23
1

Rather than simply adding slashes, consider prepared statements, thus preventing SQL injection attacks. More details about this here: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Marinus
  • 521
  • 2
  • 15
0

It's good practice to escape values before writing them to your database.

$escapedName = mysqli_real_escape_string($_POST['eventName']);

Ty Harlacker
  • 111
  • 1
  • 4
  • Hi user 1477736, your code works. It saved a log to database but it did omit the event name. I mean the value is blank. – colt_25 Nov 14 '16 at 07:47