Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Sep 2009
    Posts
    165
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Weird issue with mysql_real_escape_string

    I'm having a problem when using mysql_real_escape_string to allow apostrophes to be inputted into fields in a mySQL db.

    Basically it cuts off the value of the data after the first instance of an apostrophe. So "Testing testing's test testtesting" would be truncated to "Testing testing" and so forth.

    I'm using this code:

    PHP Code:
    $description mysql_real_escape_string($_POST['_Description']); 
    And the query (which otherwise works fine) is:

    PHP Code:
    $query "UPDATE userdata SET RealName = '$realname', EmailAddress = '$emailaddress', YearOfBirth = '$yearofbirth', Profession = '$profession', Description = '$description' WHERE UserName = '$username'"
    Any idea why it's doing this?

    Thanks

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    How are you determining the cutoff, via direct mysql client connection or though script? Make sure you are checking directly through a mysql client. You should get an error if it attempt to insert data that is injected with what you have here.
    Also execute a show create table and post the results: show create table userdata;.

  • #3
    Regular Coder
    Join Date
    Sep 2009
    Posts
    165
    Thanks
    16
    Thanked 0 Times in 0 Posts
    I'm using an external file dbconnect.php to connect to the database, this contains all the connection details. That's how I've always connected to the database though?

    What code would I use to run the show create table userdata?

    Interestingly when I checked the actual db record in phpMyAdmin I find that the data HAS been inputted correctly. So it looks as if the problem is when I display the data in the Edit form...
    Last edited by galahad3; 01-23-2012 at 04:29 PM.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by galahad3 View Post
    I'm using an external file dbconnect.php to connect to the database, this contains all the connection details. That's how I've always connected to the database though?

    What code would I use to run the show create table userdata?

    Interestingly when I checked the actual db record in phpMyAdmin I find that the data HAS been inputted correctly. So it looks as if the problem is when I display the data in the Edit form...
    Show create table is literally what I put in the code block above. That can be run directly in PHPMyAdmin or on a SQL client.
    It won't be necessary though, my assumption was either it was a display issue or it was a truncation due to a column length. Sounds to be a display issue, so your value= on your selection menu is using value='$recordColumn'. You need to run the variable through htmlentities($var, ENT_QUOTES); first.

  • Users who have thanked Fou-Lu for this post:

    galahad3 (01-23-2012)

  • #5
    Regular Coder
    Join Date
    Sep 2009
    Posts
    165
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Thanks, that seems to have done the trick.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •