How to deal with an apostrophe while writing into a MySQL database [duplicate]

Question

I am getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','portal','','offering','MSNBC','News','','sports','','MSN','Money','','games'' at line 3

The only problem is that this error shows up when inserting data that contains an apostrophe. I tried changing the data type from VARCHAR to TEXT, but the result is still the same.

I tried to put in addslashes()

How do I fix this?

$query=" INSERT INTO alltags
 (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
 ('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) "; 
mysql_query($query) or die(mysql_error());

I changed it to mysql_real_escape_string. Is this syntax correct? I am getting errors.

id is an auto_increment so I left it blank
– user244333
Commented Oct 30, 2010 at 2:48 — user244333, Commented Oct 30, 2010 at 2:48
Use PDO...it'll solve two problems at once. php.net/pdo
– benjy
Commented Oct 30, 2010 at 4:22 — benjy, Commented Oct 30, 2010 at 4:22

Peter Mortensen · Accepted Answer · 2019-07-15 14:16:26Z

53

The process of encoding data which contains characters MySQL might interpret is called "escaping". You must escape your strings with mysql_real_escape_string, which is a PHP function, not a MySQL function, meaning you have to run it in PHP before you pass your query to the database. You must escape any data that comes into your program from an external source. Any data that isn't escaped is a potential SQL injection.

You have to escape your data before you build your query. Also, you can build your query programmatically using PHP's looping constructs and range:

// Build tag fields
$tags = 'tag' . implode(', tag', range(1,30));

// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);

// Implode values with quotes and commas
$values = "'" . implode("', '", $values) . "'";

$query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)";

mysql_query($query) or die(mysql_error());

edited Jul 15, 2019 at 14:16

Peter Mortensen

31.3k22 gold badges109 silver badges132 bronze badges

answered Oct 30, 2010 at 2:57

user229044♦

237k41 gold badges341 silver badges342 bronze badges

Conceptually, this makes a lot of sense. I am still trying to incorporate your code into mine. thanks for your input
– user244333
Commented Oct 30, 2010 at 3:26
@Karthik The important thing is that you realize that mysql_real_escape_string is run in PHP, before you ever pass your data to mysql_query. I'm not sure how OMG Ponies got that one so wrong...
– user229044 ♦
Commented Oct 30, 2010 at 3:41
Function mysql_real_escape_string() was deprecated in PHP 5.5.0 and was removed in PHP 7.0.0.
– Peter Mortensen
Commented Jul 15, 2019 at 14:16

Add a comment |

OMG Ponies · Accepted Answer · 2010-10-30 02:50:57Z

Using mysql_real_escape_string is a safer approach to handling characters for SQL insertion/updating:

INSERT INTO YOUR_TABLE
VALUES
  (mysql_real_escape_string($var1),
   mysql_real_escape_string($var2))

Also, I'd change your columns back from TEXT to VARCHAR - searching, besides indexing, works much better.

Update for your update

Being that id is an auto_increment column you can:

leave it out of the list of columns, so you don't have to provide a value in the VALUES clause:

INSERT INTO alltags
  (tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES      
  (mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

include id in the list of columns, which requires you use either value in its place in the VALUES clause:
- NULL
- DEFAULT

Here's an example using NULL as the id placeholder:

INSERT INTO alltags
  (id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
 VALUES      
  (NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";

I want to really stress that you should not setup your columns like that.

I edited my question. Is there anything wrong with my syntax? — user244333, Commented Oct 30, 2010 at 2:45
@Ponies: This code is really wrong. I will investigate who gave you four upvotes and kill them too. You cannot mix PHP function calls into an SQL string. You have to break out of the "string" and call .mysql_real_escape(). separately for each variable. — mario, Commented Oct 30, 2010 at 3:26
Function mysql_real_escape_string() was deprecated in PHP 5.5.0 and was removed in PHP 7.0.0. — Peter Mortensen, Commented Jul 15, 2019 at 14:14

kijin · Accepted Answer · 2010-10-30 04:05:23Z

8

Slight improvement of meagar's answer:

EDIT: meagar updated his post, so his answer is now better.

$query = 'INSERT INTO alltags (id, ';

// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', ";

// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);

// implode values with quotes and commas, and add closing bracket
$query .= "'" . implode("', '", $escaped_tags) . "')";

// actually query
mysql_query($query) or die(mysql_error());

edited Oct 30, 2010 at 4:05

answered Oct 30, 2010 at 3:48

kijin

8,8502 gold badges27 silver badges33 bronze badges

+1 Like the way you build the tags string; it is late, and I am tired.
– user229044 ♦
Commented Oct 30, 2010 at 3:54

Add a comment |

mario · Accepted Answer · 2010-10-30 03:33:56Z

Please look at meagars answer. This is the correct code.

If you want to use the misguided mysql_query() function, then you have to break up the SQL string as follows:

mysql_query(
    "INSERT INTO whateever (col1,col2,col3,col4) VALUES ("
    . mysql_real_escape_string($col1) 
    . ","
    . mysql_real_escape_string($col2) 
    . ","       
    . mysql_real_escape_string($col3) 
    . ","
    . mysql_real_escape_string($col4) 
    . ")"
);

Or since you have an array, use the clever method call to escape all at once:

$uniqkey = array_map("mysql_real_escape_string", $uniqkey);

mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");

Collectives™ on Stack Overflow

How to deal with an apostrophe while writing into a MySQL database [duplicate]

4 Answers 4

Update for your update

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Update for your update

Linked

Related