how to insert text containing qutation mark...?

ms_kout · November 30th, 2008, 03:11 AM

Dear php devs
I face a problem when the user type a text to be inserted into mysql using direct insert statement, the problem occured whenever that text containing a single quotation mark, that makes the syntax incorrect.
how to avoid that?

Old Pedant · November 30th, 2008, 03:36 AM

You have to double up the apostrophes.

Example:

INSERT INTO people (lastname) VALUES( 'O''Brien' );

And that will actually insert O'Brien

Okay?

ms_kout · November 30th, 2008, 03:54 AM

how to insert it as it is
I mean user sometimes type I'm, I want to display it as it is not I''m
thanks alot

ms_kout · November 30th, 2008, 11:38 AM

got it
$q=sprintf("insert into news (title,brief,details,date,img) values ('%s','%s','%s','%s','%s')",mysql_real_escape_stri ng($_POST["title"]),mysql_real_escape_string($_POST["brief"]),mysql_real_escape_string($_POST["details"]),mysql_real_escape_string(date("d/m/y")),mysql_real_escape_string($img));
mysql_query($q);

thanks

Old Pedant · December 1st, 2008, 02:47 AM

Yes, except you don't need to escape the date. That function you are using can't possibly produce an apostrophe.

Hmmmm...but that's the wrong format for a date with MySQL. MySQL *ONLY* accepts yyyy-mm-dd format.

Did you perhaps goof and make your date field a text type instead of a DATETIME type???

Incidentally, date is a keyword in MySQL, so you really should enclose it in `...`
to be sure MySQL takes it as a field name. (In an INSERT like this, it's probably okay
as is, but it's a bad habit to get into, omitting the `...` around field names that are keywords.)

zeronexxx · December 23rd, 2008, 09:19 PM

the best way to say and data into your database is use the following

PHP Code:


			
$sometext = $_POST['sometext'];

include('connect.php'); //connect to database

$sometext = mysql_real_escape_string($sometext); // prevent from SQL injections

$sometext = html_entities($sometext); // prevent from XSS

when you want to display it to the end user use following

PHP Code:


			
echo stripslashes($sometext);

hope the above help;

you can also do some encoding like to covert to utf-8 before saving to database but depends on your requirement.

Thanks

happygv · January 8th, 2009, 02:49 AM

Another way to do that is wrap the text in DOUBLE QUOTEs.

"I'm"

Hope that helps.

msman88 · January 19th, 2009, 06:46 PM

You seem that you are tutor in ahgaff university in mukalla, Really...!?

anees_muhd · March 5th, 2009, 06:06 AM

There are two functions in PHP called
addslashes() and
stripslashes()

Addslashes() will add '\' (An escaping character) where ever it needs when it stores into DB

stripslashes() will reverse the operation and it needs when we want to display the content to user.