PHP 7.3 UPDATE values with apostrophe creates an error

Beginners - Learning PHP
#1

I have no problem inputing data that has an apostrophe using INSERT However, I use that data to populate a form for amendments. If the comments section originally had apostrophes then it will not save any amendments.

I have tried every solution I could find with no sucess. Including mysql_escape_string and mysql_real_escape_string. It only works fine if there is no apostrophe. Any guidence welcome

My Code

$sql = "UPDATE a_walking
SET
Location='$_POST[Location]',
Route='$_POST[Route]',
Latitude='$_POST[Latitude]',
Longitude='$_POST[Longitude]',
Date='$_POST[Date]',
Time='$_POST[Time]',
Distance='$_POST[Distance]',
Leader='$_POST[Leader]',
Difficulty='$_POST[Difficulty]',
Comments='$_POST[Comments]'
#2

You likely (because you didn’t post all the php and html involved) have two problems -

  1. When you output values in the form fields, you need to apply htmlentities() to them, right before outputting them, so that any html entities in the values cannot break the html markup.
  2. You need to use a prepared query when supplying any external, unknown, dynamic value to the query when it gets executed, so that any sql special characters in the values cannot break the sql query syntax, which is how sql injection is accomplished.

For the database statements, the PDO extension is the simplest to learn and use.

Here is typical PDO connection code -

$DB_HOST = ''; // database host name or ip address
$DB_USER = ''; // database username
$DB_PASS = ''; // database password
$DB_NAME = ''; // database name
$DB_ENCODING = 'utf8mb4'; // db character encoding. set to match your database table's character set. note: utf8 is an alias of utf8mb3/utf8mb4

$options = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // set the error mode to exceptions (this is the default setting now in php8+)
			PDO::ATTR_EMULATE_PREPARES => false, // run real prepared queries
			PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC // set default fetch mode to assoc
			];

$pdo = new pdo("mysql:host=$DB_HOST;dbname=$DB_NAME;charset=$DB_ENCODING",$DB_USER,$DB_PASS,$options);

For the query you have posted, a PDO prepared query would look like -

$sql = "UPDATE a_walking
SET
Location=?,
Route=?,
Latitude=?,
Longitude=?,
Date=?,
Time=?,
Distance=?,
Leader=?,
Difficulty=?,
Comments=?
";
// you likely have a WHERE clause in the above query that you didn't show

$stmt = $pdo->prepare($sql);
$stmt->execute([
	$_POST['Location'],
	$_POST['Route'],
	$_POST['Latitude'],
	$_POST['Longitude'],
	$_POST['Date'],
	$_POST['Time'],
	$_POST['Distance'],
	$_POST['Leader'],
	$_POST['Difficulty'],
	$_POST['Comments']
	]);
#3

Yes WHERE id=$_POST[id]";
This still doesn’t solve my problem.
If someone. in amending, adds an apostrophe to the form comments section it still fails
I have also tried applying htmlentities() to $_POST[Comments]
I’ll go through my code again - I’m sure I’m doing something wrong

#4 
$sql = "UPDATE a_walking
SET
Location=?,
Route=?,
Latitude=?,
Longitude=?,
Date=?,
Time=?,
Distance=?,
Leader=?,
Difficulty=?,
Comments=?
WHERE id=?
";

and

$stmt->execute([
	$_POST['Location'],
	$_POST['Route'],
	$_POST['Latitude'],
	$_POST['Longitude'],
	$_POST['Date'],
	$_POST['Time'],
	$_POST['Distance'],
	$_POST['Leader'],
	$_POST['Difficulty'],
	$_POST['Comments'],
    $_POST['id'] // Add this
	]);
#5

Thanks for your help on this - problem is now fixed.

Sponsor our Newsletter | Privacy Policy | Terms of Service