quotes from form input + MySQL insert query

From: Jeremy Epstein (jepstein_at_it.uts.edu.au)
Date: 07/27/04 

Date: Tue, 27 Jul 2004 22:46:15 +1000

<whinge>Please help! I'm tearing my hair out, trying to get this to work...
I've tried everything, nothing seems to work, it is extremely
weird.</whinge>

This is what happens: when the user enters input from a form, that input is
POSTed to my script page, which then runs an insert query to put it into a
MySQL table. All the fields are strings. Most of them are inputted through
HTML text boxes, while one is inputted through an HTML textarea element.

The problem: when there are SINGLE quotes (double quotes work fine) in the
TEXTBOX fields (textarea fields work fine), the data is only inserted up to
the first single quote. I'm handling textboxes and textareas in exactly the
same way, but a textarea string full of single quotes is handled fine, while
a similar textbox string is not!

I have magic_quotes turned on, and since I do not have access to php.ini on
my hosted site, I can't turn it off. I've checked the POSTed data by echoing
all fields, and magic_quotes is handling all fields the same: it puts a
backslash before every quote in every field. So the problem is not
magic_quotes, because it's doing its job the same for all data.

I've tried everything: I've tried using urlencode() and urldecode(),
htmlentities() and htmlspecialchars(). In case magic_quotes was stuffing up
somehow, I tried using addslashes() and stripslashes(). I even wrote a
regular expression to replace all single backslashes with double
backslashes, in case the single ones generated by magic_quotes weren't
enough for some reason:

preg_replace("/\\\\/","${1}\\\\\\${2}",$_POST['input_field'])

But using that just generated a MySQL syntax error. When I just run the
script plain, without using any special functions like addslashes() or the
one above, I don't get any error messages: the text just isn't inserted past
the first single quote.

Here is some of the code that I'm using. From the form input page:

<form name="adminForm" method="post" action="transact-admin.php">
<input type="hidden" name="pageelement" value="hotdeals" />
...
<tr>
...
<td class="item_cell">
  <input type="text" name="hotdeal_to_add_section_url" maxlength="100"
value="" />
</td>
<td class="item_cell">
  <input type="text" name="hotdeal_to_add_title" maxlength="100" value="" />
</td>
<td class="item_cell">
 <textarea name="hotdeal_to_add_body" rows="8" cols="40"></textarea>
</td>
<td class="item_cell">
  <input type="text" name="hotdeal_to_add_image_url" maxlength="100"
value="" />
</td>
<td class="item_cell">
  <input type="text" name="hotdeal_to_add_image_desc" maxlength="100"
value="" />
</td>
...
</tr>

And from the processing script (transact-admin.php):

case 'hotdeals':
          .....
          $sql_hotdeal = "INSERT IGNORE INTO ga_hotdeals ".
          "( hotdeal_id, section_url, title, body, ".
          "image_url, image_desc ) ".
         "VALUES ".
          "( '". $_POST['hotdeal_to_add_number']. "', '".
          $_POST['hotdeal_to_add_section_url']. "', '".
          $_POST['hotdeal_to_add_title']. "', '".
          $_POST['hotdeal_to_add_body']. "', '".
          $_POST['hotdeal_to_add_image_url']. "', '".
          $_POST['hotdeal_to_add_image_desc']. "' )";

         $insert_hotdeal = mysql_query($sql_hotdeal)
         or die(mysql_error());

The really weird thing, like I said, is that i only have this problem for
textbox-entered data, and not for textarea-entered data. Because the problem
only occurs with single quotes, i'm guessing that it has something to do
with the single quotes in my raw HTML form elements. Or maybe it's because I
use single quotes in the MySQL query. But none of this should
matter, because I've seen by echoing the POSTed data that it all gets posted
exactly the same! All the quotes in all the fields get given backslashes by
magic_quotes, so they should all be handled the same when they're inserted
into the MySQL table.

If someone could let me know just what the HELL is going on, i would greatly
appreciate it. I've been working on this problem for about 3 days now, and I
will not rest until it's solved.

Jeremy Epstein.
jepstein@it.uts.edu.au

Relevant Pages

  • Re: Single quote confusion in javascript generated HTML
    ... The problem does not occur if my value goes into a textarea or ... because my utility code replaces single quotes with their HTML ... DOM element via javascript does not require me to encode quotes in the ...
    (comp.lang.javascript)
  • Re: get only filenames and not directory names under a specific path.
    ... > I'm guess maybe it's must do that when it's double quotes. ... but with two exceptions: the escape character itself ... the string delimiter can also be escaped to allow embedded single quotes, ... means that a path with a trailing backslash needs two backslashes there to avoid ...
    (perl.beginners)
  • Re: Posting Usenet News Messages
    ... > Consider using single quotes unless you are going to actually ... namely interpolation and backslash escapes. ... Given that the backslashes are there and there's nothing ... No, it's not a lie. ...
    (comp.lang.perl.misc)
  • Re: quotes from form input + MySQL insert query
    ... string mysql_escape_string ... > same way, but a textarea string full of single quotes is handled fine, while ... I've checked the POSTed data by echoing ... > backslashes, in case the single ones generated by magic_quotes weren't ...
    (alt.php)
  • Re: Do I need to escape this code?
    ... I am often amazed on the use of backslashes outside languages as ... > HTML allows single quotes. ...
    (comp.lang.php)