-1

I have been building a system with PHP & MySQL. Up until now, everything has been fine, but now when I save data from a text field, it has started adding the escape characters. For example, trying to save the string

It's good

saves as

It\'s good

The insert query I am using is 

$query = "INSERT INTO jobs(customerId,
 jobDateReceived,
 jobReceivedBy,
 jobPONo,
 jobCompletionDate,
 jobPrice,
 jobIncExVat,
 jobPriceEstimate,
 jobZeroPrice,
 jobDescription,
 jobEngraving,
 jobEngraveComplete,
 jobLaser,
 jobLaserComplete,
 jobWood,
 jobWoodComplete,
 jobQualityControl)
 VALUES('".$_SESSION['customerId']."', '"
 .$_POST['recDateField']."', '"
 .$_POST['recByField']."', '"
 .$_POST['purchOrderField']."', '"
 .$_POST['completionDateField']."', '"
 .$_POST['priceField']."', '"
 .$_POST['vatRadios']."', '"
 .$estimateYN."', '"
 .$zeroPriceYN."', '"
 .mysqli_real_escape_string($link, $_POST['descriptionField'])."', '"
 .$engravingYN."', 'N', '"
 .$laserYN."', 'N', '"
 .$woodYN."', 'N', 'I')";

Can anyone help as to why this may have stopped working?

Nik
  • 5
  • 3
  • Have you checked your system to make sure the mysqli php extension is properly loaded? – Difster Aug 01 '17 at 08:34
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 01 '17 at 08:36
  • 4
    How about stop using escapes and use prepared statements? – Hatted Rooster Aug 01 '17 at 08:37
  • 1
    What @RickAstley said, because saying it once is usually not enough – DarkMukke Aug 01 '17 at 08:38
  • Try provide a [mcve]. You've described the string you are trying to save, but you haven't show where it comes into the system or how you are examining it to see the extra slash. We can't tell where in the system the slash is being added. – Quentin Aug 01 '17 at 08:38
  • PS: Thats what `mysqli_real_escape_string()` does. **It escapes quotes** – RiggsFolly Aug 01 '17 at 08:49
  • I am sorry - I am new here, and am not sure what a minimal, Complete, and Verifiable example needs. The input is coming from an HTML form which is POSTed. The form has no backslashes, but it is saved in the database with backslashes, which are then retreived. Before it would just save and retrieve the special character – Nik Aug 15 '17 at 12:42

1 Answers1

0

1)Advice use prepared statement : Using a prepared statement with bound parameters allows apostrophes

2)Use these functions to store your data before saving to database they will preserve the apostrophe.

use htmlentities( $yourdata, ENT_QUOTES | ENT_HTML5, $encoding = 'UTF-8' ) Converts special characters to html entities.

use htmlspecialchars() OR

use addslashes() Escapes special characters with the backslash

Michael GEDION
  • 879
  • 8
  • 16