Using apostrophe in text fields causes SQL error
Status: Inactive
Brought to you by:
cdmartini
Menu
▾
▴
#8 Using apostrophe in text fields causes SQL error
When using a single quote in the description field in the
edit team form, a SQL error will be generated. The
program should strip out/reformat single quotes as they
are used to surround the SQL statements.
A quick and dirty workaround is to escape the single
quote which will allow you to save (works once and then
must be repeated to save again):
"This bug's related to the apostrophe"
Becomes:
"This bug\'s related to the apostrophe"
Detailed Explanation:
1) Edit a team record using team_edit.php
2) Enter an apostrophe in the "Description" field
3) Press save
4) The following error will be displayed:
1064: You have an error in your SQL syntax near '
5) Backpage and escape the aprostrophe using \
6) Save the record
7) No error is displayed and the rcord is saved normally.
This will likely affect all text fields in the application. A
form processor function is required to handle the
formatting globally.
Logged In: YES
user_id=841355
The solution seems to be to enable PHP's magic quotes
directive. This will escape any single or double quotes in
HTTP GET, POST and cookie submissions. The escaped
strings are not saved to the datbase but will prevent the SQL
queries from breaking.
To enable magic quotes, edit your php.ini file to set the
directive to "On".
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
If you are in an ISP hosting situation where you can't set the
directive (and it's "Off"), please let me know and we'll add a
small form processing function for each save script.
Sincerely,
Calvin Martini
E-GADS Project Team Member