Results 1 to 6 of 6

Thread: cant use ' in textarea?

  1. #1
    Join Date
    Feb 2010
    Location
    Falkirk, Scotland
    Posts
    142
    Thanks
    21
    Thanked 4 Times in 4 Posts

    Default cant use ' in textarea?

    i have been recently trying to find out why my form wouldnt insert into my mysql table, but i found the problem.

    when a user writes in the textarea, they cant use an apostrophie ('), for example..... "there's a problem", or else it will not insert.

    but if they wrote "theres a problem", it posts just fine.

    i know my syntax must be right, else it wouldnt post in the first place.
    but if the user does insert ', the mysql error says....problem with syntax

    any ideas, as it has me stumped.
    Last edited by liamallan; 08-01-2010 at 03:45 PM. Reason: infraction

  2. #2
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    It's very hard to know without looking at all of your code, but it sounds to me like you aren't escaping the data.

    In PHP you probably have a query like this:
    $mysql = mysql_query("INSERT ... '$text';");

    Then if you have an apostrophe in the variable $text, it will end the string early and cause MANY problems, and it is also a HUGE security risk. A user can type mysql directly into the field like this:
    Hello.'; DROP TABLE....;

    You MUST ALWAYS escape user input to be safe and to avoid problems like this:

    $text = mysql_real_escape_string($text);

    That should fix it. Just use that immediately before your query (or in a different place if there's a reason...you'll probably know...).
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  3. #3
    Join Date
    Feb 2010
    Location
    Falkirk, Scotland
    Posts
    142
    Thanks
    21
    Thanked 4 Times in 4 Posts

    Default

    thanx mate, worked like a charm!

  4. #4
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    647
    Thanks
    287
    Thanked 15 Times in 15 Posts

    Default

    I had this same problem a while ago and the way I fixed it was to set Magic Quotes on in the php.ini file. I believe the default is on but mine had been turned off somehow.

    Code:
    ; Magic quotes for incoming GET/POST/Cookie data.
    magic_quotes_gpc = On
    Perhaps I should also be using $text = mysql_real_escape_string($text); as well, or does Magic Quotes take care of that?

    Thanks.

  5. #5
    Join Date
    Jul 2010
    Location
    Minnesota
    Posts
    256
    Thanks
    1
    Thanked 21 Times in 21 Posts

    Default

    mysql_real_escape_string is the better way to go. magic_quotes has been deprecated and leads to easier sql injection.

  6. The Following User Says Thank You to fastsol1 For This Useful Post:

    kuau (08-02-2010)

  7. #6
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    magic quotes also leads to other problems; for example, if you have data which is submitted via a form (magic quotes are applied), processed and then sent to a database (magic quotes are applied). As you can imagine, escaping at each step leaves a whole mess of extra quotes, and only one set is un-escaped when the data is pulled back out for use.

    Disabling magic quotes is highly recommended.

  8. The Following User Says Thank You to traq For This Useful Post:

    kuau (08-02-2010)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •