CODEWITHSUNDEEP
phpmysql
user655688
user655688

Reputation: 61

Problems with mysql_real_escape_string

I have field called filter1 on a form, I would like to be able to save quoted text into mysql. So I would like to be able to save the value "foo bar"...instead its saving just /

Here is what I have:

$keyword1 = mysql_real_escape_string($_POST['filter1']);

Any help is appreciated.

Here is how I construct the query

$keyword1 = mysql_real_escape_string($_POST['filter1']);
$keyword2 = $_POST['filter2'];//."|".$_POST['filterby'];
$keyword3 = $_POST['filter3'];//."|".$_POST['filterby2'];

$urlfilter1 = $_POST['url1'];
$urlfilter2 = $_POST['url2'];//."|".$_POST['url_filter'];
$urlfilter3 = $_POST['url3'];//."|".$_POST['url_filter2'];
//echo "combo_id:".$num." <BR></br>";
//echo "status:".$status." <BR></br>";
//echo "saveQuery:".$saveQuery." <BR></br>";
//$myFilter = "save"; 
$insert_query = sprintf("UPDATE COMBINATION 
                        SET STATUS_ID=%s, QUERY=\"%s\", 
                        KEYWORD1=\"%s\", KEYWORD2=\"%s\", KEYWORD3=\"%s\", 
                        URLFILTER1=\"%s\", URLFILTER2=\"%s\", URLFILTER3=\"%s\" 
                        WHERE COMBINATION_ID=%s",$status,$saveQuery,
                        $keyword1,$keyword2,$keyword3,
                        $urlfilter1,$urlfilter2,$urlfilter3,
                        $num);
//echo "insert_query:".$insert_query." <BR></br>";
$result = mysql_query($insert_query) or die(mysql_error());
if($result)
{
    echo "Saved successfully<br>";
}

} ?>

Upvotes: 1

Views: 1081

Answers (3)

Your Common Sense
Your Common Sense

Reputation: 157981

For some reason you are escaping only one variable, while adding to the query several of them.
Why don't you escape them all?

However, your problem may be somewhere else. What is $saveQuery I am curious?

Upvotes: 0

Theo
Theo

Reputation: 132942

Unless you have a very old and restricted environment, use PDO. It will save you buckets of sweat and tears. With PDO it is very easy to escape input and avoid SQL injection attacks, which is illustrated in the answer that this link leads to.

Upvotes: 10

Calum
Calum

Reputation: 5316

Well first you need to connect to the database with mysql_connect() http://php.net/manual/en/function.mysql-connect.php

Then you need to call your INSERT query with mysql_query() http://php.net/manual/en/function.mysql-query.php

By the way, you are doing the right thing by escaping the string before putting it into a query, well done :)

Upvotes: 1

Related Questions