views:

433

answers:

2

i'm trying to learn php/mysql.

inserting data into mysql works fine but inserting those with apostrophe is generating an error. i tried using mysql_real_escape_string, yet this doesn't work.

would appreciate any help.


<?php
include 'config.php';

echo "Connected <br />";



$auth = $_POST['author'];
$quo = $_POST['quote'];

$author = mysql_real_escape_string($auth); 
$quote = mysql_real_escape_string($quo); 


//**************************



//inserting data
$sql="INSERT INTO Quotes (vauthor, cquotes)
VALUES ($author, $quote)";

if (!mysql_query($sql,$conn))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

...

what am i doing wrong?

+8  A: 

Your values are strings, they still need delimiters in the SQL statement, even after you've escaped them.

//inserting data
$sql="INSERT INTO Quotes (vauthor, cquotes)
VALUES ('$author', '$quote')";
Peter Bailey
thanks! that worked!
fuz3d
Not "even" but **because** you've escaped them. As this function doing no more than escaping delimiters - quotes.
Col. Shrapnel
@Col. Shrapnel not sure what you mean. I don't agree with the *because* assertion, since even non-escaped string values would still need delimiters.
Peter Bailey
But there should be no non-escaped string ever! This is 2 parts of one rule. One useless without other. It must be done both: eascaping and delimiting. No exceptions.
Col. Shrapnel
What I'm saying is they don't need delimiters **because** they've been escaped, they need delimiters *because they're strings*. In practice, yes, we want to always do both. But in technical terms, they are separate - i.e., escaped and non-escaped strings both need delimiters.
Peter Bailey
+3  A: 

Strings must be wrapped in quotes in SQL:

$sql="INSERT INTO Quotes (vauthor, cquotes)
VALUES ('$author', '$quote')";
Coronatus