Home/ Questions/Q 9122493
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T06:07:02+00:00

I have a form for a blog post and whenever I have a single

  • 0

I have a form for a blog post and whenever I have a single quote (for example, that’s) the SQL insert code breaks. I have tried using mysql_real_escape_string:

$Description = mysql_real_escape_string($_POST['Description']);

But this doesn’t work. I tried using htmlspecialchars() too, but for these posts I need to be able to use HTML code for adding links and images.

I updated the SQL code to like a guide said to do and still I didn’t work. Then I can update it if there are no single quotes, so the code does work, but the single quotes are causing lots of trouble

        $SQL = "UPDATE Posts SET Title = '$Title',LinkTitle = '$LinkTitle',MainPicture = '$MainPic',Description ='".$Description."',Maintext = '$Main',Type = '$SubCategory',Featured = '$Featured'
    ,category = '$Category',thumbnail='$thumb'
    WHERE ID = '$id'";

Fix

Thanks to Gaucho for the solution the problem was I was using mysqli to connect to the database. changing the connection code to normal mysql_connect fixed the problem.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use this code, with your database name and password, and report the error you’re are obtaining.

    The mysql_real_escape_string is not the problem in your query since in my case it is working fine. Let us know even your PHP and MySQL version.

     <?php
     // Connect to your database
     mysql_connect("localhost","yourDBuserName","yourDBpassword");

     // Specify database
     mysql_select_db("yourDBname") or die;

     //Build SQL query
     $Description = mysql_real_escape_string("that's amore");
     $query = "select * from Posts where Description ='" . $Description . "'";
     $queryResult=mysql_query($query);
     if (!$queryResult) {
         $message  = 'Invalid query: ' . mysql_error() . "\n";
         $message .= 'Whole query: ' . $query;
         die($message);
     }
     die ($queryResult);
 ?>

    I even suggest you PhpEd to debug your code.
    Note: the result of mysql_real_escape_string in my sample is “that\\’s amore”.
    Any echoed string that doesn’t start with Invalid.. means that the query is running fine.

    Note 2: this is the right method to connect to your server.

    If you want to connect using mySqli, use the following code to connect, since you are doing it in the wrong way:

    $mysqli = @new mysqli('yourDBaddress', 'yourDBuserName', 'yourDBpassword', 'yourDBname');

if ($mysqli->connect_errno) {
    die('Connect Error: ' . $mysqli->connect_errno);
}
    • 0