-1

I have a form from where I get POST data and I am going through each of them and updating them to the database. But the problem is it doesn't handle quotes properly. It's stripping off at the quote. I tried different approach, but all failed. Please guide.

foreach ($_POST as $param_name => $param_val) {

                // code removed for clarity

                $data = array($col_name => $param_val);
                $where = array($col_id => $col_id_val);

                // run the query
                $wpdb->update($table_name, $data, $where);
            
        }

If there's an input like What's my name? for $param_val, in the database it gets updated as What\'s my name?.

Please help.

LittleLebowski
  • 7,691
  • 13
  • 47
  • 72
  • Why are you trying to manually assemble the query here, why is the `$wpdb->update` part commented out? What was the actual _problem_ with that? `// I tried using stripslashes also` – why, what for? – CBroe Aug 21 '20 at 07:24
  • That part is commented to show both the approaches. When uncommented, I will comment the `$wpdb->query($update);` part – LittleLebowski Aug 21 '20 at 07:25
  • I tried manually too just to check if there's an issue with `wpdb update`, so was trying out `wpdb query`. But the issue persists. Even if I remove `stripslashes`, the `wpdb update` query strips off the part of text after quotes. – LittleLebowski Aug 21 '20 at 07:28
  • @CBroe I have updated the code for clarity. – LittleLebowski Aug 21 '20 at 07:30
  • The documentation for that method clearly states, _“Both $data columns and $data values should be "raw" (neither should be SQL escaped).”_ - so you should not have to do _anything_ to your data yourself, before you feed it to this method. What is actually going wrong here, can not be told with certainty, from what info you have given so far. – CBroe Aug 21 '20 at 07:34
  • Did you actually check what lands in the database, _outside_ of the WP environment? For example, by looking into the table via phpMyAdmin? Or are you drawing a (potentially faulty) conclusion from what you see somewhere in your WP frontend afterwards? – CBroe Aug 21 '20 at 07:35
  • @CBroe I am not doing anything with `$param_val`, I was trying out `stripslashes_deep` but without doing anything too, the query fails. Hence the question on Stackoverflow. – LittleLebowski Aug 21 '20 at 07:36
  • @CBroe thanks for the insight. I did check now and it's actually adding `What\'s my name?` into the database. Normally, when I do an insert it shows up in the database as `What's my name?`. So the issue persists. It's adding the escape character to the DB. That's wrong again. – LittleLebowski Aug 21 '20 at 07:47
  • Whoever voted to close this question needs to revaluate his/her priorities. The question can't be more clearer. In there were ambiguities, it would be more beneficial for SO community to clarify in comments before downvoting ruthlessly. SO already has a bad rep of closing questions. My 2 cents. – LittleLebowski Aug 21 '20 at 08:31

2 Answers2

1

If anyone's looking for an answer, here's how I solved it using wp_unslash

foreach (wp_unslash($_POST) as $param_name => $param_val)

Took inspiration from this answer: https://stackoverflow.com/a/7342562/1230252

LittleLebowski
  • 7,691
  • 13
  • 47
  • 72
-1

Yes this is because it breaks the SQL Statement, you should use prepared statements to avoid this problem. $update = "UPDATE ".$table_name." SET ".$col_name."='What's my name?' WHERE ".$col_id."=".$col_id_val;

Here is a link to it: https://www.w3schools.com/php/php_mysql_prepared_statements.asp

Darkterror45
  • 1
  • No, in a WordPress environment, one shouldn’t. Using the functionality WP explicitly provides for this, is the way top go. – CBroe Aug 21 '20 at 07:27
  • @CBroe I have updated the question. Can you tell me what's wrong now? Still doesn't work. – LittleLebowski Aug 21 '20 at 07:32