0

So I've got this problem where I can't seem to insert texts into my database which contain the following character: ' (as in for example: It's). I've had this problem before and I just stripped the symbol, but now I really need a solution and nowhere on the entire web or stack overflow I can't seem to find a decent and clear answer.

This is how my data is displayed:

HTML

<textarea name="text_from_form">
      This is the kind of stuff I need and It's awesome (user input example)
</textarea>

PHP

<?php

  $my_text = $_POST["text_from_form"};
  $my_text_new = htmlentities($my_text);

  $sql = "INSERT INTO tableName (text)
  VALUES ('$my_text_new')";
?>

THE ERROR

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's awesome ')' at line 2

Thank you in advance for the help!

CoderYordi
  • 57
  • 9
  • If you use prepared parameterised statements this shouldn't be a problem. Your script is at risk of [**SQL Injection Attack**](https://stackoverflow.com/q/60174/5914775). Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/). Even [if you are escaping inputs, its not safe!](https://stackoverflow.com/q/5741187/5914775) Use [prepared parameterised statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – Tom Udding Jun 07 '17 at 17:04
  • @TomUdding can you maybe give an example of what I need to do then? Because I don't understand a word of what you're saying... – CoderYordi Jun 07 '17 at 17:08
  • `htmlentities()` going out, not in. And you should use prepared statements - which API are you using to query the database? `mysql_*`? `mysqli_*`? PDO? – Qirel Jun 07 '17 at 17:12

1 Answers1

0

The htmlentities() function doesn't escape single quotes ' in default flag (ENT_COMPACT), use htmlentities($text, ENT_QUOTES) or function mysql_real_escape_string() or mysqli_real_escape_string() depending on which library you use.

RatajS
  • 1,403
  • 1
  • 14
  • 22