I can't insert values in database

Question

Help I can't input values in database if my input has (') sign

if I go to chrome I can input it to my database but if I put (') sign it produce error

<form action="addsong.php" method="POST">
    <h1>Add A Song</h1>
    <div class="form-box">
        <textarea type="text" class="seach-field title" name="title" placeholder="Title" required></textarea>
        <textarea type="text" class="seach-field" name="verse1" placeholder="Verse 1" required></textarea>
        <textarea type="text" class="seach-field" name="verse2" placeholder="Verse 2" ></textarea>
        <textarea type="text" class="seach-field" name="verse3" placeholder="Verse 3" ></textarea>
        <textarea type="text" class="seach-field" name="refrain" placeholder="Refrain" ></textarea>
        <textarea type="text" class="seach-field" name="chorus" placeholder="Chorus" required></textarea>
        <textarea type="text" class="seach-field" name="bridge" placeholder="Bridge" ></textarea>
        <br /><br />
        <button type="submit" class="search-btn noEnterSubmit" name="add-song">Add</button>
        <button type="reset" onclick="window.location.href = 'index.php';" class="cancel left">Cancel</button>

    </div>
</form>

this is my addsong.php

*

$conn = mysqli_connect('localhost:3306', 'root', '', 'copy_cat');

    $titles = $_POST['title'];
    $v1 = $_POST['verse1'];
    $v2 = $_POST['verse2'];
    $v3 = $_POST['verse3'];
    $refrain = $_POST['refrain'];
    $chorus = $_POST['chorus'];
    $bridge = $_POST['bridge'];


    $query = "INSERT INTO songs (title,verse1,verse2,verse3,refrain,chorus,bridge) VALUES ('$titless','$v1','$v2','$v3','$refrain','$chorus','$bridge')";
    $query_run = mysqli_query($conn, $query);

    if($query_run)
    {
        $_SESSION['success'] = "Song Successfully Added";
        header('Location: index.php');
    }
    else{
        $_SESSION['status'] = "Song Not Added";
        header('Location: error.php');

    }

you can use `addslashes()` in your php code. [https://www.php.net/manual/en/function.addslashes.php](https://www.php.net/manual/en/function.addslashes.php) or if your using mysqli then [mysql-escape-string](https://www.php.net/manual/en/function.mysql-escape-string.php) . The problem is mostly like to be occured if you wrap sql query inside (') single quote or (") double quote and the values that you pass also contains the quote. you just need to escape it using addslashes or mysqli_real_escape_string. — danish-khan-I, Oct 22 '19 at 05:42
Maybe `mysqli_real_escape_string()`? Your issue is with php and (my)sql, you've shown us html and not provided the error that was produced. Don't use `addslashes` use the method that's appropriate to the database you're corresponding with, addslashes does not account for charset like the database specific escaping functions do — zanderwar, Oct 22 '19 at 05:42
@danish-khan-I you've linked a deprecated function. Do NOT use `mysql*` use `mysqli*` — zanderwar, Oct 22 '19 at 05:47
just checked it here [https://www.php.net/manual/en/mysqli.real-escape-string.php](https://www.php.net/manual/en/mysqli.real-escape-string.php) — danish-khan-I, Oct 22 '19 at 05:48
i use mysqli_real_escape_string() but it doest put ' in database — Punisher, Oct 22 '19 at 05:49
Show your php @Punisher, what you've provided isn't helpful for anyone trying to assist you — zanderwar, Oct 22 '19 at 05:51
If you put a backslash( \ ) in front of the quotation it won't give you the error anymore. — craft9861, Oct 22 '19 at 05:57
In front of the (') sign in your input (what you are trying to send to the database). If everything else is fine then this should work. — craft9861, Oct 22 '19 at 06:03
Rather than escaping the string, do it properly and use prepared statements. They provide other benefits rather than use something like a plaster to fix the current issue. — Nigel Ren, Oct 22 '19 at 06:25
Have a read of [this answer](https://stackoverflow.com/a/60496/1213708) from the first duplicate, it shows how to do a prepared statement. — Nigel Ren, Oct 22 '19 at 06:30

score 0 · Answer 1 · answered Oct 22 '19 at 06:05

Syntax :

mysqli_real_escape_string ( mysqli $link , string $escapestr ) : string

$link is your database connection & $escapestr is what you need to escape.

   $conn = mysqli_connect('localhost:3306', 'root', '', 'copy_cat');

    $titles = mysqli_real_escape_string($conn,$_POST['title']); // this is what you were missing.
    $v1 = mysqli_real_escape_string($conn,$_POST['verse1']);
    $v2 = mysqli_real_escape_string($conn,$_POST['verse2']);
    $v3 = mysqli_real_escape_string($conn,$_POST['verse3']);
    $refrain = mysqli_real_escape_string($conn,$_POST['refrain']);
    $chorus = mysqli_real_escape_string($conn,$_POST['chorus']);
    $bridge = mysqli_real_escape_string($conn,$_POST['bridge']);


    $query = "INSERT INTO songs (title,verse1,verse2,verse3,refrain,chorus,bridge) VALUES ('$titless','$v1','$v2','$v3','$refrain','$chorus','$bridge')";
    $query_run = mysqli_query($conn, $query);

    if($query_run)
    {
        $_SESSION['success'] = "Song Successfully Added";
        header('Location: index.php');
    }
    else{
        $_SESSION['status'] = "Song Not Added";
        header('Location: error.php');

    }

I can't insert values in database

1 Answers1