Page 1 of 1

INSERT - PHP functions that ignores bad input such as ' &

Posted: Fri May 23, 2003 11:52 am
by HugoLeite
Hi there, I'm having a problem when I try to INSERT text within a MySQL database, if this text has quotes in it, is there any function to ignore them so that the INSERT doesn't throws a error?

Code: Select all

function insertForm($txt_name,$txt_text){
  $query="INSERT INTO table_name(id, desc) VALUES  ('$txt_name','$txt_text')";
  $result=$this->cDb->executeQuery($query);
  return $result;
}
if the $txt_text doesn't has quotes it works fine, but if it is something like : " Hello I'm ... " it ignores the data and keeps the old one, if i am editing an existing data of course, I haven't tried while i'm inserting...


:roll:

Thanks in advance...

Posted: Fri May 23, 2003 12:47 pm
by twigletmac

Posted: Fri May 23, 2003 12:50 pm
by HugoLeite
and is it need to handle the data while you are putting it out of the database, if you have used addslashes()??


Sorry for being annoying

:oops:

Posted: Mon May 26, 2003 10:32 am
by laserlight
You may have to use stripslashes()

Posted: Mon May 26, 2003 10:48 am
by HugoLeite
and if I use mysql_escape_string, could I use the data as is, withouth having to stripslashes() it when I get the data out of the database ??

Posted: Mon May 26, 2003 6:08 pm
by volka
yes, the purpose of mysql_escape_string() is to mark special characters as not special (escaping the special meaning).
mysql then only takes those characters but as data not as special chars

Code: Select all

mysql_query('insert something (textfld) values('.mysql_escape_string("testin'").')');
mysql will get the string

Code: Select all

insert something (textfld) values('testin''')
and recognizes the fist ' after testin not as string literal delimeter but as the char ' (not using the \ as data).