0

Hello,
I want to insert single or double quotes into mysql without using \ or anything else i tried mysql_real_escape_string but it did not work it gives SQL Syntax Error : Check what to use near error...Plz Help... Here's the code...

<?php
     $name =  isset($_POST['name']) ? $_POST["name"] : "";
     $description =  isset($_POST['description']) ? $_POST["description"] : "";
     $field1=  isset($_POST['field1']) ? $_POST["field1"] : "";
     $field2=  isset($_POST['field2']) ? $_POST["field2"] : "";
     $field3=  isset($_POST['field3']) ? $_POST["field3"] : "";
     $field4=  isset($_POST['field4']) ? $_POST["field4"] : "";
     $field5=  isset($_POST['field5']) ? $_POST["field5"] : "";
     $field6=  isset($_POST['field6']) ? $_POST["field6"] : "";
     $field7=  isset($_POST['field7']) ? $_POST["field7"] : "";
     $field1a=  isset($_POST['field1a']) ? $_POST["field1a"] : "";
     $field2a=  isset($_POST['field2a']) ? $_POST["field2a"] : "";
     $field3a=  isset($_POST['field3a']) ? $_POST["field3a"] : "";
     $field4a=  isset($_POST['field4a']) ? $_POST["field4a"] : "";
     $field5a=  isset($_POST['field5a']) ? $_POST["field5a"] : "";
     $field6a=  isset($_POST['field6a']) ? $_POST["field6a"] : "";
     $field7a=  isset($_POST['field7a']) ? $_POST["field7a"] : "";
     $details =  isset($_POST['details']) ? $_POST["details"] : "";
     $year =  isset($_POST['year']) ? $_POST["year"] : "";

 include_once "scripts/connect_to_mysql.php";

$sql = mysql_query("INSERT INTO people (name, field1, field2, field3, field4, field5, field6, field7, description, year, field1a, field2a, field3a, field4a, field5a, field6a, field7a) VALUES ('$name','$field1','$field2','$field3','$field4','$field5','$field6','$field7','$description','$year','$field1a','$field2a','$field3a','$field4a','$field5a','$field6a','$field7a')")  or die (mysql_error());

     $id = mysql_insert_id();

     mkdir("../people/$id", 0755);

$newname = "image01.jpg";
                          
$place_file = move_uploaded_file( $_FILES['fileField']['tmp_name'], "../people/$id/".$newname);
header("Location: addperson.php");
?>

Plz Help

Edited by shahbaz13: n/a

4
Contributors
4
Replies
14
Views
6 Years
Discussion Span
Last Post by VIJAY_13
0

Try the changing the line #2 through 19 into the following:

$name =  mysql_real_escape_string($_POST['name']);
     $description =  mysql_real_escape_string($_POST['description']);
     $field1=  mysql_real_escape_string($_POST['field1']);
     $field2=  mysql_real_escape_string($_POST['field2']);
     $field3=  mysql_real_escape_string($_POST['field3']);
     $field4=  mysql_real_escape_string($_POST['field4']);
     $field5=  mysql_real_escape_string($_POST['field5']);
     $field6=  mysql_real_escape_string($_POST['field6']);
     $field7=  mysql_real_escape_string($_POST['field7']);
     $field1a=  mysql_real_escape_string($_POST['field1a']);
     $field2a=  mysql_real_escape_string($_POST['field2a']);
     $field3a=  mysql_real_escape_string($_POST['field3a']);
     $field4a=  mysql_real_escape_string($_POST['field4a']);
     $field5a=  mysql_real_escape_string($_POST['field5a']);
     $field6a=  mysql_real_escape_string($_POST['field6a']);
     $field7a=  mysql_real_escape_string($_POST['field7a']);
     $details =  mysql_real_escape_string($_POST['details']);
     $year =  mysql_real_escape_string($_POST['year']);

It usually does the job perfectly.
Hope it helps.

Edited by Pro2000: n/a

0

By the way, you can use a shorter form of that code like this:

$name =  mysql_real_escape_string($_POST['name']);
$description =  mysql_real_escape_string($_POST['description']);
//The following loop does the job for all the first 7 variables
for($fff=1; $fff<=7; $fff++){
    $fieldName = 'field'.$fff;
    $$fieldName =  mysql_real_escape_string($_POST['field'.$fff]);
}
//The following loop does the job for all the second 7 variables
for($fff=1; $fff<=7; $fff++){
    $fieldName = 'field'.$fff.'a';
    $$fieldName=  mysql_real_escape_string($_POST['field'.$fff.'a']);
}
$details =  mysql_real_escape_string($_POST['details']);
$year =  mysql_real_escape_string($_POST['year']);

Edited by Pro2000: n/a

0

Use this query

$sql = mysql_query("INSERT INTO people ('name', 'field1', 'field2', 'field3', 'field4', 'field5', 'field6', 'field7', 'description', 'year', 'field1a', 'field2a', 'field3a', 'field4a', 'field5a', 'field6a', 'field7a') VALUES ($name,$field1,$field2,$field3,$field4,$field5,$field6,$field7,$description,$year,$field1a,$field2a,$field3a,$field4a,$field5a,$field6a,$field7a)") or die (mysql_error());

Edited by JorgeM: Please use the signature tool in your profile. No links in the post for the purpose of promoting your site.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.