Home/ Questions/Q 9006107
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T01:19:30+00:00

I have a form with PHP that saves a variable to a MySQL database.

  • 0

I have a form with PHP that saves a variable to a MySQL database. That form worked on a VPS, but when trying it on another VPS it gives an error when trying to write to the database when the field contains a ‘ character. So the same PHP code works on 1 VPS when the field contains a ‘ character, but not on the other VPS.

Here it works: http://www.zoekmachineoptimalisatie.us/test.php
and here (it’s the other VPS) it gives an error: http://www.onzebruidsfotograaf.nl/test.php

My form:

<?php
$hostname = "localhost"; //host name
$dbname   = "xxxxxxxx"; //database name
$username = "xxxxxxxx"; //username you use to login to php my admin
$password = "xxxxxxxx"; //password you use to login
$conn     = new MySQLi($hostname, $username, $password, $dbname);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Untitled Document</title>
</head>
<body>
<?php
if (isset($_POST['Submit'])) { //if the submit button is clicked

    $title  = $_POST['updatetitle'];
    $bookid = 1;
    $update = "UPDATE test SET Title='$title' WHERE BookID = " . $bookid;

    $conn->query($update) or die("Cannot update"); //update or error
}
?>


<?php
$bookid = 1;
$sql    = "SELECT * FROM test WHERE BookID = '" . $bookid . "'";
$result = $conn->query($sql) or die(mysql_error());
$query = getenv(QUERY_STRING);
parse_str($query);
?>

<h2>Update Record <?php echo $bookid;?></h2>

<form action="" method="post">
    <?php

    while ($row = $result->fetch_assoc()) {
        ?>

        <textarea name="updatetitle" cols="100" rows="30"><?php echo $row['Title']; ?></textarea>

        <table border="0" cellspacing="10">

            <tr>
                <td><INPUT TYPE="Submit" VALUE="Update the Record" NAME="Submit"></td>
            </tr>
        </table>
        <?php
    }
    ?>
</form>

<?php
if ($update) { //if the update worked

    echo "<b>Update successful!</b>";

}
?>
</body>
</html>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    An unescaped quote in your query will produce a syntax error. Instead of building the SQL fully your own, make use of SQL variables for your PHP variables with a Prepared Statement:

    if (isset($_POST['Submit'])) { //if the submit button is clicked

    $title  = $_POST['updatetitle'];
    $bookid = 1;

    $update = $conn->prepare('UPDATE test SET Title = ? WHERE BookID = ?;');
    $update->bind_param('sd', $title, $bookid);
    $update->execute();
}

    One of your servers has Magic Quotes enabled and the other doesn’t. Magic Quotes is now considered undesirable and is deprecated, it automatically escapes input. You should turn off Magic Quotes and use a parameterised query/prepared statement instead – then there is no need to escape anything and it prevents SQL Injection.

    Paramterised queries are supported by the MySQLi and PDO APIs.

    • 0