I need to allow special characters including ' in MySQL. I have a "bio" text field which allows user data and I am using the POST method. My PHP is included:
$uid = $_POST["UID"];
$bio = $_POST["bio"];
$update_query = "UPDATE `User` SET bio = '$bio' WHERE uid = '$uid';";
$conn->query( $update_query );
$conn->close()
All the users are verified so there should be no danger in allowing them to use special characters. How can I update my code?
You can escape the string by using the mysqli_real_escape_string() function. Here is some Documentation. Basically, you pass in a connection and a string, and it returns a safe string to input into your database.
In your case you would do something like this:
$uid = mysqli_real_escape_string($conn, $_POST["UID"]);
$bio = mysqli_real_escape_string($conn, $_POST["bio"]);
ps: you should always use mysqli in php
@Alex Tartan is absolutely correct, you should be using prepared statements. Not only do they solve this problem completely, but they go a long way toward protecting you from malicious users. Here's an example:
$host = 'localhost';
$db = 'my_database';
$user = 'my_username';
$pass = 'my_password';
$charset = 'utf8';
$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false
];
$pdo = new PDO($dsn, $user, $pass, $opt);
$stmt=$pdo->prepare("UPDATE `User` SET bio = :bio WHERE uid = :uid");
$stmt->bindParam('bio', $_POST['bio']);
$stmt->bindParam('uid', $_POST['UID']);
$stmt->execute();
The reason this is so valuable is the variable values (e.g., the contents of $_POST['bio']) are sent to the database seperate from the SQL query. Thus, they need no special treatment and may contain pretty much anything your character set allows.
