PHP + MySQL Escaping Special Characters IMPORTANT..Please
Moderator: General Moderators
-
captainoats
- Forum Newbie
- Posts: 4
- Joined: Fri Jun 29, 2007 3:44 am
PHP + MySQL Escaping Special Characters IMPORTANT..Please
I have this variable which is a user input comes from a text box
$item=$_POST['item']; // sponge bob's & crabby# patty
I insert $item into the table without any problems.
Now I want to use it in a SELECT QUERY.
Lets say we are on on a different PHP page and I retrieved $item so I could use it for an SQL SELECT QUERY.
$tempQuery=mysql_query("SELECT * from itemtable where item_name= '$item' ");
Remember : $item contains an apostrophy(') ampersand(&) and pound sign(#)
How do I escape these characters so that my query will be executed properly. Now Im getting sql error coz of those special characters.
Im using PHP5 + MYSQL
I would like to know how to escape all the special characters.
In plain english hehehe...Im kinda new at this...THANKS
$item=$_POST['item']; // sponge bob's & crabby# patty
I insert $item into the table without any problems.
Now I want to use it in a SELECT QUERY.
Lets say we are on on a different PHP page and I retrieved $item so I could use it for an SQL SELECT QUERY.
$tempQuery=mysql_query("SELECT * from itemtable where item_name= '$item' ");
Remember : $item contains an apostrophy(') ampersand(&) and pound sign(#)
How do I escape these characters so that my query will be executed properly. Now Im getting sql error coz of those special characters.
Im using PHP5 + MYSQL
I would like to know how to escape all the special characters.
In plain english hehehe...Im kinda new at this...THANKS
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
-
captainoats
- Forum Newbie
- Posts: 4
- Joined: Fri Jun 29, 2007 3:44 am
now just how do i apply it?
could you tell me how to use that function.. using my example $item
$tempQuery=mysql_query("SELECT * from ITEMTABLE where item_name='$item'");
hehe..thanks Id appreciate it if you guys help me. Im so stressed try everything @_@ I could really use some examples
$tempQuery=mysql_query("SELECT * from ITEMTABLE where item_name='$item'");
hehe..thanks Id appreciate it if you guys help me. Im so stressed try everything @_@ I could really use some examples
Did you visit superdezign's provided PHP manual link?
This is how you can use this
This is how you can use this
Code: Select all
$tempQuery=mysql_query("SELECT * from ITEMTABLE where item_name='".mysql_real_escape_string($item)."'");-
captainoats
- Forum Newbie
- Posts: 4
- Joined: Fri Jun 29, 2007 3:44 am
thanks
thanks...let me try it out...tell you if it works...ciao!!!
BTW do i have to turn on magicquotes or anything?
BTW do i have to turn on magicquotes or anything?
-
captainoats
- Forum Newbie
- Posts: 4
- Joined: Fri Jun 29, 2007 3:44 am
Working But some chars causes Problems
#
&
+
I found out that these characters are not solved by mysql_real_escape_string()
The rest are okay...
Any ideas how to escape these characters...? Thanks
&
+
I found out that these characters are not solved by mysql_real_escape_string()
The rest are okay...
Any ideas how to escape these characters...? Thanks
- ReverendDexter
- Forum Contributor
- Posts: 193
- Joined: Tue May 29, 2007 1:26 pm
- Location: Chico, CA
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
... preg_replace().ReverendDexter wrote:you could write a custom preg_match()...
http://us2.php.net/manual/en/function.preg-match.php
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact: