I'm having problems getting special characters like apostrophes and such from being added into my database.
I have the following code that adds data from a form into my database.
mysql_query("INSERT INTO people(`ID`, `Name`, `Description`)
VALUES (NULL, '$name', '$desc')") or die(mysql_error());
Form code looks like so:
$query = "SELECT * FROM people";
$result = mysql_query($query);
while ($person = mysql_fetch_array($result)){
echo "<h3>" . $person['Name'] . "</h3>";
echo "<p>" .$person['Description'] . "</p>"}`
How would I go about fixing this so that the string field accepts special characters?
if you want add special character in MySQL database use
mysql_real_escape_string($name)
after that insert into database
You could use mysql_real_escape_string
$insert_data = mysql_real_escape_string($input_data);
Assuming that you have the data stored as $input_data
Just use mysql_real_escape_string
$insert_data = mysql_real_escape_string($input_data);
Assuming that you have the data stored as $input_data
Related
I am using the normal INSERT sql statement, but for some reason when I insert code, It comes up as this. Here is my code:
$sql="insert into comments (username, comment) values ('$name','$comment')";
mysqli_query($link, $sql);
My SQL table:
MySQL's output formatting doesn't work well when there are control characters in a string. It expects each character in the string to take one horizontal space in the output, but newlines go to the beginning of the line.
You can show the newlines as escape sequences with:
SELECT username, REPLACE(comment, '\n', '\\n') AS comment, id
FROM comments;
It's also possible that there are carriage returns, which go to the beginning of the current line, if the input came from Windows. You can replace those as well with:
SELECT username, REPLACE(REPLACE(comment, '\n', '\\n'), '\r', '\\r') AS comment, id
FROM comments;
You only must use mysqli_real_escape_string() to escape all characters.
$sql="insert into comments (username, comment) values ('".mysqli_real_escape_string($name)."','".mysqli_real_escape_string($comment)."')";
mysqli_query($link, $sql);
OR
$name = $mysqli->real_escape_string($name);
$comment = $mysqli->real_escape_string($comment);
$sql="insert into comments (username, comment) values ('$name','$comment')";
mysqli_query($link, $sql);
Manual : http://php.net/manual/de/mysqli.real-escape-string.php
original post:
My script is not working (it's not recording the data). It was working before I added the mysql_real_escape_string, so I'm wondering if maybe I have not implemented it correctly:
$array = json_decode($downstream,TRUE);
$name = $array["status"]["name"];
$title = $array["status"]["title"];
$table = "mrTable";
$insert = "INSERT INTO $table (name, title) VALUES ('".mysql_real_escape_string($name)."', '".mysql_real_escape_string($title)."')";
Does that implementation at INSERT look correct to you?
UPDATE:
Here is the entire code, hopefully this will help. It is still not working though. When the real_escape_string function is used, NONE of the data elements get recorded in the database. As soon as I remove the escape function, data is written fine (unless of course an apostrophe shows up).
Here we go:
//read contents of this file:
$json_data = file_get_contents('../list.txt');
//json to a php array
$array = json_decode($json_data,TRUE));
//store in mysql table
$table = "table1";
$name = mysql_real_escape_string($array["current"]["name"]);
$code = mysql_real_escape_string($array["current"]["code"]);
$insert="INSERT INTO $table (name, code) VALUES ('$name', '$code')";
$con = mysql_connect($db, $user, $pass);
if (!$con)
{
die ('Could not connect: ' . mysql_error());
};
mysql_select_db($yup, $con);
mysql_query($insert) OR die(mysql_error());
mysql_close($con);
UPDATE 2
Fixed! You need to connect to the database before first mentioning mysql_real_escape_string. Everything is working now...no blank data.
You need to be connected to a database to use mysql_real_escape_string. You don't seem to be. Make sure mysql_connect is over your line where you define $insert
Never insert values directly into a query string! Even if they are escaped, it's not a smart idea. Instead, use parametrised statements as such, which will render attacks like ' OR 1 = 1-- useless. You don't need to escape values for parametrised statements either...
PREPARE statement FROM
'INSERT INTO table (col1, col2)
VALUES
(?, ?)'
EXECUTE statement USING ('val1', 'val2')
DEALLOCATE statement
Deallocate only when you're done. You can re-execute as many times as you'd like with different values. If you are going to re-execute anyways, there is a gain in performance as well from doing it this way! (Because the statement is only prepared once for an infinite number of executions.) I advise you to implement this method and then come back if you are still having problems.
Please don't try to escape your parameters. Use bind variables. See http://bobby-tables.com/php.html for examples.
I'm a bit new to codeigniter and I'm trying to run this simple query:
DESCRIBE `table_name`;
I tried this:
$sql = 'DESCRIBE ?';
$desc = $this->db->query($sql, $table)->result();
Which creates this query:
DESCRIBE 'table_name';
As you can see, the wrong quotes are being outputted when I bind the $table variable; they are value quotes ('), not table quotes (`). Am I doing this wrong?
thank you!
CodeIgniter's query bindings will escape things for you. It assumes that the data is a value, not a table name.
You're gunna have to escape the value yourself.
$table = $this->db->escape_str($table);
$sql = "DESCRIBE `$table`";
$desc = $this->db->query($sql)->result();
I am inserting data from perl in my sqlite database.
here is my coding:
how do i make this case work if my values have special characters like quotes?
sub ADDROWDATATODATABASE
{
my $dbh1 = $_[0];
my $table = $_[1];
my #DATA = #{$_[2]};
my $string = ();
foreach (#DATA) { $string .= "'$_',"; } $string =~ s/,$//;
$dbh1->do(qq|insert into $table values(NULL,$string);|);
my $date = `date`;
print "[MYSQLITE_ADDROW.pl] $date : ADDING DATA INTO DATABASE <p>";
}
Use placeholders and bind values. This will keep your program safer from SQL injection, too.
my $statement = $dbh->prepare("insert into $table VALUES(NULL, ?,?,?,?)");
$statement->execute(#DATA);
Assuming that the number of elements in #DATA is only known at runtime (and that it is the correct number of elements for $table), you can use
my $statement = $dbh->prepare("insert into $table VALUES(NULL" . ",?"x#DATA . ")";
$statement->execute(#DATA);
to make sure that the statement has the right number of placeholders.
You need to call a function to "escape" the values. How you do that depends on what database you're actually using — MySQL and SQLite are different products.
Also, you should explicitly name the columns in the INSERT statement:
INSERT INTO Table (Col1, Col2) VALUES (Val1, Val2)
I need to insert some data into mysql. I am not sure if I need to check the inputs OR format/strip them before they could be inserted into database fields as results returned from web may contain characters that mysql do not accept(I think). I have trouble with inserting tweets into mysql table. The type of field is varchar. This is insert statement in php script:
$json = $_POST['msg_top'];
$msg = json_decode($json);
foreach($msg->entry as $status)
{
$t = $status->content;
$query = "INSERT INTO msg2(id,msg,msg_id,depth) VALUES ('','$t','ID','3')";
mysql_query($query);
if(!mysql_query($query, $dbh))
{die('error:' .mysql_error());}
}
Yes, it's very important to escape all values before using them in an SQL command.
$json = $_POST['msg_top'];
$msg = json_decode($json);
foreach($msg->entry as $status) {
$t = mysql_real_escape_string($status->content);
$query = "INSERT INTO msg2(id,msg,msg_id,depth) VALUES ('','$t','ID','3')";
mysql_query($query);
if( !mysql_query($query, $dbh) ) {
die('error:' .mysql_error());
}
}
Also, other possible issues with your query:
If the id field is auto_increment'ing, you don't need it in the field or value list.
I may be missing something, but why are you using the string 'ID' for the msg_id field?
As for help troubleshooting this, I'd recommend just appending all of the $query strings to a log file for later inspection. Then, if problems aren't readily apparent, you can just manually try to run the command on the database (ie: maybe via PhpMyAdmin) and check out any error codes from there.