Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > php > answers

addslashes, mysql_real_escape_string, etc not working

Member
  
Join Date: Oct 2007
Posts: 110
#1: May 10 '08
I am finding this very strange and frustrating, but I've got some data being entered into a mysql database, and when the data contains an apostrophe for example the word we're, it shows up in the database as
we’re.

weird.

I've used addslashes & mysql_real_escape_string, but nothing seems to fix it, and I can see when I 'echo' the input, that the string is not being escaped.


I don't get any errors, but nothing happens.
Expand|Select|Wrap|Line Numbers
  1.     preg_match ("/<input type=\"hidden\" name=\"Title\" value=\"([^`]*?)\">/", $match, $temp);
  2.     $Title = $temp['1'];
  3.     $Title = trim($Title);
  4.     $Title =addslashes($Title); 
  5.  
  6.  echo $Title.'<br />';
  7.  
Newbie
  
Join Date: May 2008
Posts: 1
#2: May 11 '08

re: addslashes, mysql_real_escape_string, etc not working

Quote:

Originally Posted by pedalpete

I am finding this very strange and frustrating, but I've got some data being entered into a mysql database, and when the data contains an apostrophe for example the word we're, it shows up in the database as
we’re.

weird.

I've used addslashes & mysql_real_escape_string, but nothing seems to fix it, and I can see when I 'echo' the input, that the string is not being escaped.


I don't get any errors, but nothing happens.

Expand|Select|Wrap|Line Numbers
  1.     preg_match ("/<input type=\"hidden\" name=\"Title\" value=\"([^`]*?)\">/", $match, $temp);
  2.     $Title = $temp['1'];
  3.     $Title = trim($Title);
  4.     $Title =addslashes($Title); 
  5.  
  6.  echo $Title.'<br />';
  7.  

I'm not that sure, but I do have cases like that in another programming language. Turns out that my page is not encoded in proper/desired format.

How does it appear when you view the source of the web page? There is a chance that the source is correct but it's just that the output is not what you wanted it to be.
Member
  
Join Date: Oct 2007
Posts: 110
#3: May 11 '08

re: addslashes, mysql_real_escape_string, etc not working

Quote:

Originally Posted by hitokiri

I'm not that sure, but I do have cases like that in another programming language. Turns out that my page is not encoded in proper/desired format.

How does it appear when you view the source of the web page? There is a chance that the source is correct but it's just that the output is not what you wanted it to be.

the source looks good (as I'm making it for testing purposes).

I have the encoding of the page set to utf-8, and when I do any sort of 'output', echo, etc I get the same value as the source, without slashes (even after trying to add slashes), so 'we're' comes out 'we're' , and not 'we\'re'.

Then of course when the goes into the database, it comes out 'we’re'.
Atli's Avatar
Moderator
  
Join Date: Nov 2006
Location: Iceland
Posts: 3,737
#4: May 12 '08

re: addslashes, mysql_real_escape_string, etc not working

Hi.

This does indeed appear to be a problem with your charsets.
Just try forcing your browser to render this page using the UTF-8 charset and view your first post... notice that the incorrect output will display as you initially wanted it to be.

Are you passing the text through any of PHP's functions before adding it to the database?
Like for example the htmlentites function?

If so, you may need to specify that you want it to use the UTF-8 charset or it may return it in the default (ISO-8859-1) charset.
Member
  
Join Date: Oct 2007
Posts: 110
#5: May 12 '08

re: addslashes, mysql_real_escape_string, etc not working

Hi Atli,

I am forcing the character set with this line right at the top of my page. is there another way to do it?
Expand|Select|Wrap|Line Numbers
  1. header("Content-type: text/html; charset=utf-8");
  2.  
I am passing the data through 'addslashes()' before adding it to the database (thinking that slashes are what helps it get into the db cleanly). I have also tried mysql_real_escape_string, but neither worked.
Member
  
Join Date: Oct 2007
Posts: 110
#6: May 13 '08

re: addslashes, mysql_real_escape_string, etc not working

So I am decoding this puzzle of why 'addslashes' doesn't seem to be working, and it seems their may be a problem with the way I have written my inset query.

I've always used quotes around the variables in the insert statement, but if I remove the quotes I get a mysql error where the slashes should be. If I have quotes in the mysql stament, the insert occurs, but the statement gets inserted with 'special characters' instead of slashes.

here's what I mean re: mysql
Expand|Select|Wrap|Line Numbers
  1. ...VALUES('$address', '$title')
  2. vs
  3. ...VALUES($address, $title)
  4.  
Does this clue anybody in to what my error is?

Now I can get a mysql error, but that doesn't solve why addslashes() isn't working in the first place.

more code
Expand|Select|Wrap|Line Numbers
  1.  
  2. $eventAddress = "$eventStreet, $eventCity, $eventState, $eventZip";
  3. $eventAddress = addslashes($eventAddress);
  4. // echo $eventAddress.'<br />';
  5.  
  6. list($date, $time) = explode(' ', $eventDateTime);
  7. list($month, $day, $year) = split('-', $date);
  8. $date = date('Y-m-d', mktime(0,0,0,$day,$month,$year));
  9. // echo $date.'<br />';
  10. // echo $time.'<br />';
  11.  
  12. $insertShow = "INSERT INTO shows ( address, date, time) VALUES ( '$eventAddress', '$date', '$time')";
  13.  mysql_query($insertShow)or die(mysql_error()); 
  14.  
  15.  
dlite922's Avatar
Expert
  
Join Date: Dec 2007
Location: Moon, Dark Side
Posts: 1,094
#7: May 13 '08

re: addslashes, mysql_real_escape_string, etc not working

Quote:

Originally Posted by pedalpete

So I am decoding this puzzle of why 'addslashes' doesn't seem to be working, and it seems their may be a problem with the way I have written my inset query.

I've always used quotes around the variables in the insert statement, but if I remove the quotes I get a mysql error where the slashes should be. If I have quotes in the mysql stament, the insert occurs, but the statement gets inserted with 'special characters' instead of slashes.

here's what I mean re: mysql

Expand|Select|Wrap|Line Numbers
  1. ...VALUES('$address', '$title')
  2. vs
  3. ...VALUES($address, $title)
  4.  
Does this clue anybody in to what my error is?

Now I can get a mysql error, but that doesn't solve why addslashes() isn't working in the first place.

more code
Expand|Select|Wrap|Line Numbers
  1.  
  2. $eventAddress = "$eventStreet, $eventCity, $eventState, $eventZip";
  3. $eventAddress = addslashes($eventAddress);
  4. // echo $eventAddress.'<br />';
  5.  
  6. list($date, $time) = explode(' ', $eventDateTime);
  7. list($month, $day, $year) = split('-', $date);
  8. $date = date('Y-m-d', mktime(0,0,0,$day,$month,$year));
  9. // echo $date.'<br />';
  10. // echo $time.'<br />';
  11.  
  12. $insertShow = "INSERT INTO shows ( address, date, time) VALUES ( '$eventAddress', '$date', '$time')";
  13.  mysql_query($insertShow)or die(mysql_error()); 
  14.  
  15.  

Can you add a die() statement just before mysql_query();

die($insertShow);

That should halt programming and exit and print the SQL given to MySQL. I just want to see what that looks like.

Thanks,

Oh and post the output of the page source here.


DM
Atli's Avatar
Moderator
  
Join Date: Nov 2006
Location: Iceland
Posts: 3,737
#8: May 13 '08

re: addslashes, mysql_real_escape_string, etc not working

You should always put strings inside single-quote marks in your SQL statements. Otherwise MySQL will try to parse them as columns or extra clauses or something along those lines.

You can use the <meta> tags to *set* the charset on you pages. Something like:
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head>
  3.   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  4. </head>
  5. <!-- etc -->
  6. </html>
  7.  
Don't know if that will change anything tho. The header you showed us should do pretty much the same thing.
Member
  
Join Date: Oct 2007
Posts: 110
#9: May 13 '08

re: addslashes, mysql_real_escape_string, etc not working

thanks d-lite and Atli, you are definately correct

I went around and around in circles with character encoding until I came with what I think is the simple solution.

I can call htmlentities() and encode it all before putting it into the db. The stuff I'm dealing with is canadian, so i figure that is easier than dealing with all the accents on french characters with slashes etc.

I can't share the source file as it's a local file that I can't share.

Atli, I don't know how I missed your comment about setting forcing the character set in my browser, but now I can see more clearly. unfortunately, i still don't see how I can fix that.

Is there any reason I shouldn't store htmlentities in my database?
I'll just convert the string before I pass it into a query (which will mostly be in numeric columns and id's anyway).
Reply

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,223 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved