I have a script where I submit some fields that get entered into a MySQL database when I submit it now it goes through successfully but never gets inserted into the database if one of the fields has an apostrophe. What can I modify to get this to work?
if ($_POST) {
$name = trim($_POST['your_name']);
$email = trim($_POST['your_email']);
$answers = $_POST['answers'];
$i = 0;
foreach ($answers as $a) {
if (trim($a))
$i++;
}
if ($name && $email && $i >= 40) {
$array = array();
$q = mysql_query("select * from fields");
while($f = mysql_fetch_array($q))
$array[$f['label']] = $answers[$f['ID']];
$array = serialize($array);
$time = time();
$ip = $_SERVER['REMOTE_ADDR'];
$token = md5($time);
$result = mysql_query("insert into data (submit_name, submit_email, submit_data, submit_confirm, submit_time, submit_ip, submit_token)
values ('$name', '$email', '$array', '0', '$time', '$ip', '$token')");
You need to escape characters with special meaning in MySQL in your data.
ReplyDeleteThe quick and dirty way to improve your code would be to pass all your strings through mysql_real_escape_string before inserting them into your string of SQL.
The better approach would be to switch away from mysql_query to something that allows the use of bound parameters (preferably with prepared statements).
Use mysql_real_escape_string(), as this will both fix your apostrophe issue and at least partly help avoid SQL injection attacks. If you don't want to get your hands dirty with PHP's built-in PDO library, you might consider a Database Abstraction Layer (DBAL). ADODB is an example.
ReplyDelete