I'm having a problem with text areas and MySQL/php. When I enter a comma, like this '. It gives the following error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 't pay attention to this post.')' at line 1 That 't was supposed to be 'don't'. So, I was hoping somebody knows the answer to this. Also, I had some problems with enters. They wouldn't show up when I read the content out of the MySQL database. But I found a solution for that. I use: $message = preg_replace('[\r\n]', '<br>', $message); Code (markup): If anyone knows a better solution, you're welcome! But my main problem is the first. I hope somebody can help me... Thanks!
That is not a comma it is a single quote and it is being interpreted as SQL not the textual content you want it to be. You need to convert the ' to \' so could do if(!get_magic_quotes_gpc()) { $message = addslashes($message); } PHP: or like how you fixed the carriage return problem.
You need to escape the single quote ' with backslash, like this \' You can use this function mysql_real_escape_string() which also escapes some other special characters so your value is sql safe. Example: mysql_real_escape_string($_POST["your_textarea"]) PHP: You can use the function nl2br() to automatically insert <br /> tags for enters entered in a text field.
Thanks! I'm going to try everyting first thing tomorrow. Btw, I wasn't sure what they're called in English since I'm dutch. But thanks anyway!
Ok, things are getting weird now... I added the code last code, and it worked. Thanks for that! I preferred that one, because it escapes more characters. But now, something happens what already happend before sometimes. I don't need the code anymore. For some reason it already escapes the characters. So when I put the mysql_real_escape_string line in it, my text gets dubble escaped so when echo'ed back from my database it turns out like this: don\'t. And well, that doesn't look very nice. So I was wondering, do you know why one time, it doesn't escape my text and I get errors, and the other time it does escape my text and everything works fine.
there is a PHP command stripslashes to undo the escaping of text in the database. stripslashes($string); and that will do it.
I don't think it's my script. Because as I told, (without the mysql_real_escape_string) sometimes everything goes fine and my script works, and sometimes I get errors. But here's my 'post' script. It's just an ordinary form with the fields: name, title, date, time, music, mood, message (the last one is a text field/textarea). <?php include("logged-in.php"); include ("connect.php"); if (!empty($_POST['title']) AND !empty($_POST['date']) AND !empty($_POST['message'])AND !empty($_POST['name'])){ //$message = mysql_real_escape_string($_POST['message']); $message = $_POST["message"]; //tekens /*$message = str_replace(")","\)",$message); $message = str_replace("(","\(",$message); $message = str_replace("'","\'",$message);*/ //$message = str_replace("'", "'", $message); $message = mysql_real_escape_string($message); $message = preg_replace('[\r\n]', '<br>', $message); // OK, Query opbouwen met variabelen in $_POST $query="INSERT INTO blog (name, title, date, time, music, mood, message) "; $query .= "VALUES ('"; // let op positie van de enkele aanhalingstekens $query .= $_POST["name"] ."', '" ; $query .= $_POST["title"] ."', '" ; $query .= $_POST["date"] ."', '" ; $query .= $_POST["time"] ."', '" ; $query .= $_POST["music"] ."', '" ; $query .= $_POST["mood"] ."', '" ; $query .= $message . "');" ; $result = mysql_query($query) or die ("FOUT: " . mysql_error()); } else{ echo ("Oeps, vergeten titel, date of update in te vullen...<br><a href=\"javascript:history.back(1)\">Previous</a>"); } echo("<class=\"BodyText\">Ga naar <a href=\"index.php?page=log\">log...</a></class>"); ?> Code (markup): Anyway, the last line did the trick, the stripslashes. It really just unescapes my text again, without removing all the slashes that I put in on purpose. Really funny. Thanks!
Possibly you have already escaped with str_replace? So the mysql_real_escape_string function will just double escape it? Also, if you take out preg_replace('[\r\n]', '<br>', $message), you can automatically put in <br> during display time using the function nl2br(), e.g. echo nl2br($message);
If I'm right, all the string_replace is just 'comment', so the text can't be escaped by that... It's just this: <?php include("logged-in.php"); include ("connect.php"); if (!empty($_POST['title']) AND !empty($_POST['date']) AND !empty($_POST['message'])AND !empty($_POST['name'])){ $message = $_POST["message"]; $message = preg_replace('[\r\n]', '<br>', $message); $message = mysql_real_escape_string($message); $query="INSERT INTO blog (name, title, date, time, music, mood, message) "; $query .= "VALUES ('"; // let op positie van de enkele aanhalingstekens $query .= $_POST["name"] ."', '" ; $query .= $_POST["title"] ."', '" ; $query .= $_POST["date"] ."', '" ; $query .= $_POST["time"] ."', '" ; $query .= $_POST["music"] ."', '" ; $query .= $_POST["mood"] ."', '" ; $query .= $message . "');" ; $result = mysql_query($query) or die ("FOUT: " . mysql_error()); } else{ echo ("Oeps, vergeten titel, date of update in te vullen...<br><a href=\"javascript:history.back(1)\">Previous</a>"); } echo("<class=\"BodyText\">Ga naar <a href=\"index.php?page=log\">log...</a></class>"); ?> Thanks for the last comment,that's much handier.