Can someone help me store a string that has an apostrophe within it? I thought that using mysql_real_escape_string was supposed to add a slash when retrieving, but remove the slash before storing. Here is a portion of my code and then also the result of the data after it is stored:

$deceasedname = mysql_real_escape_string($_POST['deceasedname']);
$condolences = mysql_real_escape_string($_POST['condolences']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);

echo '<html><head><title>Codolence Request</title></head><body>
	 			<h2>Condolence Submission on:</h2><p> ' . date("h:i, jS F") . '</p>
				<p>New Condolence Request</p>
    			<table>
				<tr><td>Name of Contributor:</td><td>' . $fname . $lname.'</td></tr>
				<tr><td>Name of Deceased:</td><td>' . $deceasedname . '</td></tr>
    			<tr><td>Condolence: </td><td>' . $condolences  . '</td></tr>
				<tr><td>View from:</td><td><a href="http://diehlfuneralhome.com/admin/adminpages/forms/condolenceDisplay.php">Administrative pages</a></td></tr>
				 </table></body></html>';

After submitting the information with the name Anna O'Connell, here is the result:

Name of Deceased: Anna O\\\'Connell

I would like to display the name as i t

The mysql_real_escape_string is intented to be used when you include a variable into an sql statement. You are just displaying the result. That is why you are shown a value with the extra slashes.

The stripslashes function is the one that removes the slashes.

The mysql_real_escape_string is intented to be used when you include a variable into an sql statement. You are just displaying the result. That is why you are shown a value with the extra slashes.

The stripslashes function is the one that removes the slashes.

I thank you for this information, but I still have one slash. This is before:

Name of Contributor: O\\\'Donnel
Name of Deceased: Henry O\\\'Brien
Condolence: Don\\\'t know

And this is after I add the stripslashes function:

Name of Contributor: O\'Donnel
Name of Deceased: Henry O\'Brien
Condolence: Don\'t know

The mystery to me is that when I look in my database I see that the stored value only contains one backslash. I am thoroughly confused ????

Are you perhaps using the escape twice before storing the value in the db ? The slash shouldn't be in there.

Are you perhaps using the escape twice before storing the value in the db ? The slash shouldn't be in there.

Maybe you can see something that I am missing. Here is my complete PHP code:

<?php require_once('../../Connections/diehl.php'); 
// connect and select to database
mysql_select_db($database_diehl, $diehl);

$deceasedname = mysql_real_escape_string($_POST['deceasedname']);
$condolences = mysql_real_escape_string($_POST['condolences']);
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zip = mysql_real_escape_string($_POST['zip']);
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone1'])."-";
$phone .= mysql_real_escape_string($_POST['phone2'])."-";
$phone .= mysql_real_escape_string($_POST['phone3']);
$phone1 = mysql_real_escape_string($_POST['phone1']);
$phone2 = mysql_real_escape_string($_POST['phone2']);
$phone3 = mysql_real_escape_string($_POST['phone3']);
$submit = mysql_real_escape_string($_POST['send']);

$sql="INSERT INTO condolences (deceasedname, condolences, fname, lname, address, city, state, zip, email, phone, request_pk) VALUES ('$deceasedname','$condolences','$fname','$lname','$address','$city','$state','$zip','$email','$phone','$request_pk')"; 
if (!mysql_query($sql,$diehl)) {
 die('Error: ' . mysql_error()); 
} 

mysql_close($diehl);

// Prepare Message Body
	
	echo '<html><head><title>Codolence Request</title></head><body>
	 			<h2>Condolence Submission on:</h2><p> ' . date("h:i, jS F") . '</p>
				<p>New Condolence Request</p>
    			<table>
				<tr><td>Name of Contributor:</td><td>' . $fname . stripslashes($lname) .'</td></tr>
				<tr><td>Name of Deceased:</td><td>' . stripslashes($deceasedname) . '</td></tr>
    			<tr><td>Condolence: </td><td>' . stripslashes($condolences)  . '</td></tr>
				<tr><td>View from:</td><td><a href="http://diehlfuneralhome.com/admin/adminpages/forms/condolenceDisplay.php">Administrative pages</a></td></tr>
				 </table></body></html>';
     

    
	//  Redirect user to success page
	header("Location: ../../../successCondolence.php?name=" . $_POST['fname'] . " " . $_POST['lname']);
  
?>

Thanks in advance for any help!

Hey.

Perhaps your server has the magic_quotes feature enabled?
If you don't know, create a PHP file that contains only: <?php phpinfo(); ?> and look for magic_quotes_gpc in the output it generates.

If it is enabled, it will add extra slashes to quote-marks and back-slashes. A good way to nullify this effect is to add this to the top of your scripts:

if(get_magic_quotes_gpc()) {
    foreach($_POST as &$_elem) {
        $_elem = stripslashes($_elem);
    }
}

That will put them into their original state.


Also, keep in mind that the mysql_real_escape_string function is only meant to be used on data that is to be inserted into a MySQL query. Using it on data that is going into a HTML page is not a good idea, because the function escapes more than just quotes.

A better way is to use the htmlentities function on data that is going into a HTML page:

<?php
$sqlData = array();
$htmlData = array();

for($_POST as $_field) {
    $sqlData = mysql_real_escape_string($_field);
    $htmlData = htmlentities($_field, ENT_QUOTES); // See the third parameter in the manual if using UTF-8
}

$sql = "INSERT INTO stuff VALUES ('{$sqlData['field1']}', '{$sqlData['field2']}')";

$html =<<<HTML
<!DOCTYPE html>
<html>
    <head><title>{$htmlData['title']}</title></head>
    <body>
        <h1>{$htmlData['h1']}</h1>
        <p>{$htmlData['firstParagraph']}</p>
    </body>
HTML;
?>

Get my meaning?

P.S.
That's just an example. In a real-life situation, escaping all POST fields for both SQL and HTML would be wasteful.

Hey.

Perhaps your server has the magic_quotes feature enabled?
If you don't know, create a PHP file that contains only: <?php phpinfo(); ?> and look for magic_quotes_gpc in the output it generates.

If it is enabled, it will add extra slashes to quote-marks and back-slashes. A good way to nullify this effect is to add this to the top of your scripts:

if(get_magic_quotes_gpc()) {
    foreach($_POST as &$_elem) {
        $_elem = stripslashes($_elem);
    }
}

That will put them into their original state.


Also, keep in mind that the mysql_real_escape_string function is only meant to be used on data that is to be inserted into a MySQL query. Using it on data that is going into a HTML page is not a good idea, because the function escapes more than just quotes.

A better way is to use the htmlentities function on data that is going into a HTML page:

<?php
$sqlData = array();
$htmlData = array();

for($_POST as $_field) {
    $sqlData = mysql_real_escape_string($_field);
    $htmlData = htmlentities($_field, ENT_QUOTES); // See the third parameter in the manual if using UTF-8
}

$sql = "INSERT INTO stuff VALUES ('{$sqlData['field1']}', '{$sqlData['field2']}')";

$html =<<<HTML
<!DOCTYPE html>
<html>
    <head><title>{$htmlData['title']}</title></head>
    <body>
        <h1>{$htmlData['h1']}</h1>
        <p>{$htmlData['firstParagraph']}</p>
    </body>
HTML;
?>

Get my meaning?

P.S.
That's just an example. In a real-life situation, escaping all POST fields for both SQL and HTML would be wasteful.

Thank you soooo much for this information. My script is working properly now! :)

That's good to hear.
I'm glad I could help :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.