2

My question is: How do you allow single quotes in strings?

For example, I have a form, and a text box. It is set up to allow the user to enter their name. From there, it posts and feeds the data into a database.

I need to be able to allow single quotes (apostrophe) as some people's names have an apostrophe in their names, such as "O'Reilly".

Any suggestions?

idle sign
  • 1,164
  • 1
  • 12
  • 19
drewrockshard
  • 2,043
  • 10
  • 35
  • 47
  • 3
    You don't have to do anything to allow single quotes in strings. PHP won't automatically remove single quotes or any other character. If the user inputs a name with an apostrophe, it'll still have an apostrophe in `$_POST`. So what is the actual problem you're having that you want help with? – Dan Grossman Feb 26 '11 at 08:07
  • +1 for @Dan Grossman's comment. Maybe you are trying to ask how will you 'properly' save text information involving single quotes in a database? – John Bautista Feb 26 '11 at 08:10
  • 5
    Whomever down-voted my post is a jackass. I'm in the process of learning, and for me to ask a basic question doesn't mean that it's a stupid question. – drewrockshard Feb 26 '11 at 08:10
  • @Jairo: That's what I'm asking; didn't know I had to be so specific. – drewrockshard Feb 26 '11 at 08:11
  • Yes, I learned it the hard way haha. That's why from then on, my questions are quite verbose and specific. – John Bautista Feb 26 '11 at 08:20

4 Answers4

8

Single quotes are not forbidden in any way. I'll simply assume that you got an error inserting it into the database. This is likely due to the omission of mysql_real_escape_string() on input values.

You will get an SQL error if you try INSERT ... ('O'Reilly') which is the whole point of the SQL escaping functions.

(This is why magic_quotes were originally introduced: to make SQL work out of the box for newcomers. - Not to make that particularly secure.)

mario
  • 144,265
  • 20
  • 237
  • 291
  • Thanks for the prompt and informational response. I've never really dealt with single quotes in my PHP development, as I do this (PHP-DEV) on the side. I was indeed receiving MySQL errors, not PHP errors. `mysql_real_escape_string()` did the trick! Thanks! – drewrockshard Feb 26 '11 at 08:16
5

Use the mysql_real_escape_string() function on any text that you insert into your database. You might be getting an error in your script if you are posting the data directly into your database because what you are actually doing is ending the MySQL quote.

It's also a security necessity that you escape your data. Something like the following is what you should have:

$q = "INSERT INTO `table` (`body`) VALUES ('".mysql_real_escape_string($_POST['body'])."')";
Sam Becker
  • 19,231
  • 14
  • 60
  • 80
2

If I am reading your question correctly, you have coded an SQL Injection bug into your program, allowing slightly malicious people and viruses to read and write your database. (Imagine someone typing in ';drop table users; into a field... goodbye data.)

The easiest way to combat SQL Injection attacks is to write your SQL queries using prepared statements, which ask the database libraries to handle input data safely:

<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>
sarnold
  • 102,305
  • 22
  • 181
  • 238
0
           USe like:-

           insert into question(question,points,choice1,choice2,
           choice3,choice4,choice3_correct,tags,error_status,
           base_or_derived,language)    
           values('".mysql_real_escape_string($result4)."',
           '".$points."','".$ans1."','".$ans2."',
           '".$correct_ans."','".$ans3."','1','".$tags."',
            '".$error."','D','".$language."')
kal
  • 48
  • 5