I take data from a html form to inseert to mysql, sometimes that data has single and double quotes in it. How do you get the quotes to be part of the string so i can add to mysql.

Hers what I have, but this still gives me a sql error.

if (!empty($_REQUEST['atitle'])){
                     $title = $_REQUEST['atitle'];
                     $title = NULL;
                   if (!empty($_REQUEST['acontent'])){
                      $content = $_REQUEST['acontent'];
                      $content = NULL;
                      echo "<span class='text'><p>Enter content for the News Item</p></span>";
                if ($title && $content){    
      $query = "INSERT INTO projects VALUES (NULL, '"mysql_real_escape_string($atitle)"', '"mysql_real_escape_string($acontent)"', '$remote_file', '$remote_file1', '$remote_file2')";
      $result = mysql_query($query);
         $error = 'An error occured: '. mysql_error().'<br />';
         $error.= 'Query was: '.$query;
         echo $error;

Thanks for looking..................

On further inspection this seems to be esaping the double quotes but not the single quotes!

Anyone know why?

Member Avatar

You need to concatenate (.):

$query = "INSERT INTO projects VALUES (NULL, '" . mysql_real_escape_string($atitle) . "', '" . mysql_real_escape_string($acontent) . "', '$remote_file', '$remote_file1', '$remote_file2')";

Now I get this error
An error occured: Column count doesn't match value count at row 1
Query was: INSERT INTO projects VALUES (NULL, ''', ''', '', '', '')

But only when there are single quotes, works ok for double quotes!

Member Avatar
$atitle = mysql_real_escape_string($atitle);
$acontent = mysql_real_escape_string($acontent);

$query = "INSERT INTO projects VALUES (NULL, '$atitle', '$acontent', '$remote_file', '$remote_file1', '$remote_file2')";