...

View Full Version : Weird issue with mysql_real_escape_string



galahad3
01-23-2012, 05:09 PM
I'm having a problem when using mysql_real_escape_string to allow apostrophes to be inputted into fields in a mySQL db.

Basically it cuts off the value of the data after the first instance of an apostrophe. So "Testing testing's test testtesting" would be truncated to "Testing testing" and so forth.

I'm using this code:



$description = mysql_real_escape_string($_POST['_Description']);


And the query (which otherwise works fine) is:



$query = "UPDATE userdata SET RealName = '$realname', EmailAddress = '$emailaddress', YearOfBirth = '$yearofbirth', Profession = '$profession', Description = '$description' WHERE UserName = '$username'";


Any idea why it's doing this?

Thanks

Fou-Lu
01-23-2012, 05:16 PM
How are you determining the cutoff, via direct mysql client connection or though script? Make sure you are checking directly through a mysql client. You should get an error if it attempt to insert data that is injected with what you have here.
Also execute a show create table and post the results: show create table userdata;.

galahad3
01-23-2012, 05:21 PM
I'm using an external file dbconnect.php to connect to the database, this contains all the connection details. That's how I've always connected to the database though?

What code would I use to run the show create table userdata?

Interestingly when I checked the actual db record in phpMyAdmin I find that the data HAS been inputted correctly. So it looks as if the problem is when I display the data in the Edit form...

Fou-Lu
01-23-2012, 05:48 PM
I'm using an external file dbconnect.php to connect to the database, this contains all the connection details. That's how I've always connected to the database though?

What code would I use to run the show create table userdata?

Interestingly when I checked the actual db record in phpMyAdmin I find that the data HAS been inputted correctly. So it looks as if the problem is when I display the data in the Edit form...

Show create table is literally what I put in the code block above. That can be run directly in PHPMyAdmin or on a SQL client.
It won't be necessary though, my assumption was either it was a display issue or it was a truncation due to a column length. Sounds to be a display issue, so your value= on your selection menu is using value='$recordColumn'. You need to run the variable through htmlentities($var, ENT_QUOTES); first.

galahad3
01-23-2012, 06:46 PM
Thanks, that seems to have done the trick. :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum