mysql_real_escape_string Not Working with '

StackOverflow https://stackoverflow.com/questions/18106697

Question

I have a form processed with PHP. It contains a field for Notes about the client job. The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the string in the database, so I have all of the notes up until it encounters the ' then that's the end of the notes.

I realise there are things like mysqli_ and PDO, but it's the busy season at the moment and I could just do with quickly fixing this before doing a complete update/overhaul in January.

Any idea why it isn't working? Code included. It doesn't matter where I put the mysql_real_escape_string(), it doesn't work anywhere.

FYI: The table column is TEXT. And there are a couple of other fields hence the foreach

// SELECTS AND CONNECTS TO SERVER/DB
include_once('config/db.inc.php');


// CONVERT ALL $_POST['name'] to $name and clean/prep for mysql insertion
foreach($_POST as $key => $value ) {    
       $$key = mysql_real_escape_string($value); 
       }


// UPDATE CLIENT JOB NOTES
$query = "UPDATE client_list SET bookingNotes='$bookingNotes' WHERE id='$CID'";
         mysql_query($query, $conn) or die(mysql_error());

TIA

Edit for the responses below:

$bookingNotes and $CID are define by the form variables $_POST['bookingNotes'] and $_POST['CID'] where the foreach essentially removes the "_POST" part. (that's the whole $$key = $value part)

As mentioned, I appreciate mysqli_ and PDO but am currently unable to learn, update and implement those system wide at the moment. This runs locally and my current version of PHP 5.4.1 supports the function. I understand PDO is better, but for now that is not an option so please don't belittle me with "do it properly" or "learn how to code". That isn't the issue at hand.

I know what's happening and where and why - mysql is treating the ' as and end of the string. But I don't know why it's happening when I believe the function should escape the ' and allow it into the database.

To surmise, this is what happens.

"Today is very grey and it's raining" is entered into the form as $bookingNotes. The script then inputs that into the TEXT column of the database. But what appears in the database is;

"Today is very grey and it"

TIA and Thanks for the responses so far.

Was it helpful?

Solution 3

Thank you to everyone with helpful input.

It's fixed now, I honestly don't know how.

I removed the '' on the SQL statement (WHERE bookingNotes='bookingNotes') to force an error.

I also checked (echoed) the contents of $bookingNotes, which was the POST data AFTER mysql_real_escape_string() and it had the full string with apostrophes escaped (slashed)

I removed the echo, put the SQL back, and it all worked as it should / as expected.

I backed up the script before I started working, I have since compared the "new" working one with the original one that failed and they are exactly the same, no missing characters or extra/missing whitespace, exactly the same. o_O

So I don't know what happened there!

Thanks for the input anyway.

OTHER TIPS

Are you sure the problem is on the writing end? Your code looks like it should work. (Well, for some value of work, you don't want to have a field <input name='conn' value='haha'>. Anyway, you seem to understand the problems with the code well enough.)

I assume that what you see is not SQL-injection but HTML injection:

<input name='bookingNotes' value='<?php=$bookingNotes?>'>

try escaping that with

<input name='bookingNotes' value='<?php=htmlspecialchars($bookingNotes, ENT_QUOTES)?>'>

to avoid the problem.

I tried it and it seems okay

$_POST['name'] = "1'";
$_POST['age'] = '2';/* 
$_POST[] = '3';
$_POST[] = '3'; */
foreach($_POST as $key => $value ) {    
    $$key = mysql_real_escape_string($value); 
    echo $$key;

}

The result I got was : 1\' - which is correct

Try changing this

$$key = mysql_real_escape_string($value);

INTO

$key = mysql_real_escape_string($value);

First, mysql_real_escape_string() always works. If some your code doesn't - well, it's your code.

Second, but most important: NEVER run a code like this

foreach($_POST as $key => $value ) {    
    $$key = // whatever.
}

it is actually a hole in security, worse than any other.

Finally, it is extremely unclear from your extremely vague explanation, but I guess it's HTML form where you get your "end of notes". Anyway, you have to fix the very place where it happens, not blame a function you were running long time ago

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top