StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POmysql_real_escape_string Not Working with '
primarykey
Id
18106697
data
AcceptedAnswerId
18144590
AnswerCount
5
ClosedDate
CommentCount
9
CommunityOwnedDate
CreationDate
2013-08-07T14:52:58.567
FavoriteCount
0
LastActivityDate
2013-08-09T10:24:23.720
LastEditDate
2013-08-07T16:31:16.943
LastEditorUserId
1701660
OwnerUserId
1701660
ParentId
0
PostTypeId
1
Score
-2
ViewCount
6492
LastEditorDisplayName
text
Body
I have a form processed with PHP. It contains a field for Notes about the client job. The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the string in the database, so I have all of the notes up until it encounters the ' then that's the end of the notes. I realise there are things like mysqli_ and PDO, but it's the busy season at the moment and I could just do with quickly fixing this before doing a complete update/overhaul in January. Any idea why it isn't working? Code included. It doesn't matter where I put the mysql_real_escape_string(), it doesn't work anywhere. FYI: The table column is TEXT. And there are a couple of other fields hence the foreach <pre><code>// SELECTS AND CONNECTS TO SERVER/DB include_once('config/db.inc.php'); // CONVERT ALL $_POST['name'] to $name and clean/prep for mysql insertion foreach($_POST as $key => $value ) { $$key = mysql_real_escape_string($value); } // UPDATE CLIENT JOB NOTES $query = "UPDATE client_list SET bookingNotes='$bookingNotes' WHERE id='$CID'"; mysql_query($query, $conn) or die(mysql_error()); </code></pre> TIA Edit for the responses below: $bookingNotes and $CID are define by the form variables $_POST['bookingNotes'] and $_POST['CID'] where the foreach essentially removes the "_POST" part. (that's the whole $$key = $value part) As mentioned, I appreciate mysqli_ and PDO but am currently unable to learn, update and implement those system wide at the moment. This runs locally and my current version of PHP 5.4.1 supports the function. I understand PDO is better, but for now that is not an option so please don't belittle me with "do it properly" or "learn how to code". That isn't the issue at hand. I know what's happening and where and why - mysql is treating the ' as and end of the string. But I don't know why it's happening when I believe the function should escape the ' and allow it into the database. To surmise, this is what happens. "Today is very grey and it's raining" is entered into the form as $bookingNotes. The script then inputs that into the TEXT column of the database. But what appears in the database is; "Today is very grey and it" TIA and Thanks for the responses so far.
Tags
<php><mysql><security><sql-injection><mysql-real-escape-string>
Title
mysql_real_escape_string Not Working with '
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USBiomech
UserOwnerUserId
1. USBiomech
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POmysql_real_escape_string Not Working with '
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTDownMod
2. VO
 singulars
 PostPostId
 POmysql_real_escape_string Not Working with '
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTDownMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.