I have a form that uploads data to a mysql database. There is an external php file that processes the form. I am having an issue when someone uses a quote or an apostrophe. Here is an example of what is entered into the form and what appears in the database:
If I enter target's in the form, it comes out target\'s in the database If I enter "Sud" in the form, it comes out \"Sud\" in the database
In the variable declaration, I am using this:
$var = mysql_escape_string($_POST['var']);
and in the insert statement, I am using this:
$query = "INSERT INTO tablename VALUES ('$var')";
I also tried mysql_real_escape_string and when I used that function, no data was inserted at all into the table.
Can someone please tell me what I need to do to escape those characters so the data comes out just as entered in the form? Thank you.
First, please note that mysql_escape_string is deprecated, see mysql_escape_string
Second, i suspect your issue is caused by the table character set, try using mysql_real_escape_string to see if this fixes it.
Please note that mysql_real_escape_string is also deprecated
It's safer, and easier, to use PDO and query parameters:
$query = "INSERT INTO tablename (columnname) VALUES (?)";
$stmt = $pdo->prepare($query);
$stmt->execute([$_POST['var']]);
With query parameters, you never need to worry about quoting/escaping, or possible apostrophes or any other tricky characters.
Query parameters are also supported by the mysqli extension, but I recommend you skip over mysqli and learn PDO. PDO is easier to use.