11

I have been struggling with a small problem for a while. It's been there for years but it's just been an irritating problem and not a serious one, and I have just worked around it. But now I want to find out if anyone can help me. I have done some google'ing but no success.

If I do a form post from a html textarea in a php file like this:

<form action="http://action.com" method="post">
<textarea name="text"><a href="http://google.com">google's site</a></textarea>
</form>

and of course there is a submit button and so on.

The value is the problem: <a href="http://google.com">google's site</a> The value of the textarea have both "(Quotation mark) and '(Apostrophe).

To save this in a mysql_database I do this:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".$_POST['text']."') ") or die(mysql_error());

And now I get the mysql error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's site'' at line 1

J3STER
  • 1,027
  • 2
  • 11
  • 28
Daniel Rufus Kaldheim
  • 163
  • 1
  • 1
  • 8
  • 2
    You *must* escape the string properly or you're allowing [SQL](http://en.wikipedia.org/wiki/SQL_injection) [Injection](http://xkcd.com/327/). As a nice side effect, preventing SQL injection will solve your problem. – thirtydot Jan 11 '11 at 16:28
  • You can you mysql_real_escape_string() – bharath Jan 11 '11 at 16:28

8 Answers8

22

Your sql string will be:

INSERT INTO `table` (`row1`) VALUES ('google's site')

Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php

And read about sql injection http://en.wikipedia.org/wiki/SQL_injection

Think a bit: if someone posts this: $_POST['text'] with value: ');delete from table;....

Your can say good bye to your data :)

Always filter/escape input!

EDIT: As of PHP 5.5.0 mysql_real_escape_string and the mysql extension are deprecated. Please use mysqli extension and mysqli::escape_string function instead

Adam Lindsay
  • 396
  • 3
  • 10
Peter Porfy
  • 8,921
  • 3
  • 31
  • 41
  • input filtering has nothing to do with SQL. And escaping must be done for the every data, not just input – Your Common Sense Jan 11 '11 at 16:37
  • 1
    Lol, why the downvote? We are talking about input here, thats why i wrote about input. – Peter Porfy Jan 11 '11 at 16:39
  • 1
    That is why there is a ... at the end, I wrote it only to show anybody can run any sql with the current code. The question wasnt 'When should I escape data?' as I see, but 'what is wrong...' – Peter Porfy Jan 11 '11 at 16:46
  • 2
    Thanks for this, you gave me a heads up with the delete for table. The actual example is not that important to me. It's where I can find future answers! thanks! – Daniel Rufus Kaldheim Jan 11 '11 at 16:49
  • 10
    @pinusnegra: Pay no attention to Col. Shrapnel. His parents used to lock him in the closet for hours on end. Just pat him on the head and say, "Thanks, Colonel." And then briskly walk away. – webbiedave Jan 11 '11 at 18:43
10

Always at least use mysql_real_escape_string when adding user-provided values into the Database. You should look into binding parameters or mysqli so your query would become:

INSERT INTO `table` (`row1`) VALUES (?)

And ? would be replaced by the actual value after sanitizing the input.

In your case use:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".mysql_real_escape_string($_POST['text'])."') ") or die(mysql_error());

Read up on SQL Injection. It's worth doing right ASAP!

methodin
  • 6,717
  • 1
  • 25
  • 27
3

you can use addslashes() function. It Quote string with slashes. so, it will be very useful to you when you are adding any apostrophe in your field.

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".addslashes($_POST['text'])."') ") or die(mysql_error());
Hemi
  • 829
  • 1
  • 9
  • 12
3

Escape the string :D

http://php.net/manual/en/function.mysql-real-escape-string.php

Nanne
  • 64,065
  • 16
  • 119
  • 163
1

instead of using the old mysql* functions, use PDO and write parameterized queries - http://php.net/pdo

Stephen
  • 18,597
  • 4
  • 32
  • 33
0

I was also Struggling about characters when I was updating data in mysql.

But I finally came to a better answer, Here is:

$lastname = "$_POST["lastname"]"; //lastname is : O'Brian, Bran'storm

And When you are going to update your database, the system will not update it unless you use the MySQL REAL Escape String. Here:

$lastname = mysql_real_escape_string($_POST["lastname"]);  // This Works Always.

Then you query will update certainly. 

Example: mysql_query("UPDATE client SET lastname = '$lastname' where clientID = '%"); //This will update your data and provide you with security.

For More Information, please check MYSQL_REAL_ESCAPE_STRING

Hope This Helps

Micheal P.
  • 55
  • 11
0

Just use prepared statements and you wouldn't have to worry about escaping or sql injection.

$con = <"Your database connection">;
$input = "What's up?";
$stmt = $con->prepare("insert into `tablename` (`field`)values(?)");
$stmt->bind_param("s",$input);
$stmt->execute();
Vaibhav Tomar
  • 107
  • 1
  • 5
0

If you are using php version > 5.5.0 then you have to use like this

$con = new mysqli("localhost", "your_user_name", "your_password", "your_db_name");

if ($con->query("INSERT into myCity (Name) VALUES ('".$con->real_escape_string($city)."')")) {
    printf("%d Row inserted.\n", $con->affected_rows);
}
A.A Noman
  • 5,244
  • 9
  • 24
  • 46