Why is hyphen' preceded by a backslash?

I have mysql code to enter a businessname into a table in a database, but, if I enter a name such as "Joe's" (with a hyphen), it goes into the database as "Joe\'s" (always adds a backslash before the hyphen). I would appreciate anyone's help. Thank you, Buffmin.

My code

<?php
/*
NEW.PHP
Allows user to create a new entry in the database
*/

function renderForm($BusinessName, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>New Member</title>
<link rel="stylesheet" type="text/css" href="member.css">
</head>
<body>


<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>

<h1 class="style1">Add a Member to Business Directory</h1>
<form action="" method="post">
<table>
<tr><td class="blue">Business Name</td><td><input type="text" size="40" name="BusinessName"value="<?php echo $BusinessName; ?>" /></td></tr>

</table><p></p>
<p class="blue">* Required Field</p>

<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
<?php
}

// connect to the database
require ('dbstuff.php');
$db = connectDB();

// check if the form has been submitted. If it has, start to process the form and save it to the database
if (isset($_POST['submit']))
{
// get form data, making sure it is valid
$Businessname = mysql_real_escape_string(htmlspecialchars($_POST['BusinessName']));

// check to make sure both fields are entered
if ($Businessname == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields.....!';

// if either field is blank, display the form again
renderForm($BusinessName, $error);
}
else
{
// save the data to the database
mysql_query("INSERT mybiz SET BusinessName='$Businessname'")
or die(mysql_error());

mysql_query("alter table mybiz order by BusinessName")
or die(mysql_error());


// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
// if the form hasn't been submitted, display the form
{
renderForm('','','','','','','','','','','','','','');
}
?>

if you are using mysql_real_escape_string then you shouldn't also be using htmlspecialchars

I guess I am not familiar with "mysql_real_escape_string". Is that used when inputting data, or when retrieving data? I will have to research how to use this, but thank you.

I guess I am not familiar with "mysql_real_escape_string". Is that used when inputting data, or when retrieving data? I will have to research how to use this, but thank you.


mysql_real_escape_string is used when using "query" to access a database where the SQL and data are jumbled together and the data is "escaped" in order to try to avoid it being interpreted as part of the SQL. It is unnecessary if you replace "query" with "prepare" and "bind" as the latter keeps the SQL in the prepare statement and the data in the bind statement and so avoids all possibility of the data being misinterpreted.


htmlspecialchars is used when outputting data into an HTML web page. It is used to escape characters in the data that would otherwise be misinterpreted as being HTML tags.

Thanks Fellgal,
I will have to study up on the "mysql_real_escape_string" for when I input data into my tables, but for the moment, I am concerned with displaying the data in my table without the special charactors. I cannot figure how or where to insert the "htmlspecialchars" in my html. If you could possibly point out how or where, I would greatly appreciate it. Thank you, Buffmin

My code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>My Sample</title>
</head>
<body>
<?php

/* Displays all members from database */

require ('dbstuff.php');
$db = connectDB();

// get results from database
$result = mysql_query("SELECT * FROM mybiz")
or die(mysql_error());

// display data in table
echo "<table border='1' cellpadding='10'>";
echo "<tr><th>Business Name</th></tr>";

// loop through results of database query, displaying them in the table
$count= 0;
while($row = mysql_fetch_array( $result )) {
++$count;

// echo out the contents of each row into a table
echo "<tr>";
echo '<td>' . $row['BusinessName'] . '</td>';
echo "</tr>";
}
// close table>
echo "</table>";
?>
</body>
</html>

When writing data into HTML you simply replace:

echo $field;

with:

echo htmlspecialchars($field);

Thank you felgall and I appreciate the link to the resources on your site, but when I added the "htmlspecialchars" after my echo, I got an error that says......... "Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';' in/homepages/.........

I do not understand why? Here is my code where I am displaying the html, and thank you for your help. I appreciate your patience. Buffmin

I commented out the orig line and just added the "htmlspecialchars" to the new line.


// loop through results of database query, displaying them in the table
$count= 0;
while($row = mysql_fetch_array( $result )) {
++$count;


// echo out the contents of each row into a table
echo "<tr>";
//echo '<td>' . $row['BusinessName'] . '</td>';
echo htmlspecialchars '<td>' . $row['BusinessName'] . '</td>';
echo "</tr>";
}

echo htmlspecialchars '<td>' . $row['BusinessName'] . '</td>';


echo htmlspecialchars( '<td>' . $row['BusinessName'] . '</td>' );

Thank you very much for your help! Buffmin