tags:

views:

476

answers:

3
+2  Q: 

How do you encode an apostrophe so that it's searchable in mysql?

I don't think that was the most clear question, but an example should make it a little clearer.

I have a table filled with movie names, some of which contain apostrophes. I have a search box which is used to find movies.

If I perform searches via 

mov_title = '$search_keywords'

it all works, but this method will not yield any results for partial searches, so I have to use this

mov_title LIKE '%$search_keywords%'

This method works fine for titles that are A-Za-z0-9, but if a title has an apostrophe, it's not able to find the movie, even if I do an exact match.

Before the titles are stored in the DB, I put them through this:

$search_keywords = htmlspecialchars(mysql_escape_string($_GET["search_keywords"]));

So in the DB, there is a forward slash before every single apostrophe.

The only way to match a movie title with an apostrophe is to physically put a forward slash in front of the apostrophe, in the search box.

This seems so trivial, and I'm sure the solution is painfully obvious, but I'm just not seeing it.

+5  A: 

Use mysql_real_escape_string(), and do not use htmlspecialchars(). The latter is not for database escaping, it's for HTML production.

chaos  2009-03-06 22:59:07
Removing htmlspecialchars() didnt change anything. Behaves exactly the same.
Yegor  2009-03-06 23:05:30
Because the values in your database already used htmlspecialchars(). You need to unescape all these values. Use html_entity_decode() and stripslashes() for instance.
Patrick Daryll Glandien  2009-03-06 23:07:30
I fixed some test values, and Im still not able to find them.
Yegor  2009-03-06 23:11:14
Can you give a few database rows and echo the query before using it?
Patrick Daryll Glandien  2009-03-06 23:14:07
You can also consider using addslashes()
Patrick Daryll Glandien  2009-03-06 23:16:54
Ah. My tech guy brilliantly turned on magic quotes, which kept multiplying the slashes. if i use the mysql_real_escape_string() before isnerting stuff into the DB, there wont be any slashes stored in there, correct?
Yegor  2009-03-06 23:26:24
Do mysql_real_escape_string(stripslashes($_POST['var']))
Patrick Daryll Glandien  2009-03-06 23:44:21
With magic quotes off, it doesnt add any slashes, so i think there is no need.
Yegor  2009-03-06 23:53:01
Yeah if you turned them off then mysql_escape_string will suffice.
Patrick Daryll Glandien  2009-03-06 23:53:39
Do not, in fact, consider using addslashes(). If you do, you will remain vulnerable to SQL injection.
chaos  2009-03-23 13:59:41
+1  A: 

This only happens because you escaped the data for html output before doing the output! You should only do it right before doing the output, i.e.:

<li><?php echo htmlspecialchars($some_var); ?></li>

Unescape the values in your database and change the application to escape only on output. You currently have no other way than also doing htmlspecialchars(mysql_real_escape_string()) on the $search_string.

Even if it made sense to escape for HTML already on inserting into the database, mysql_real_escape_string() would be the outer function and not the inner function.

Patrick Daryll Glandien  2009-03-06 23:01:45
A: 

If you prefer to keep your database intact, you could just run the htmlspecialchars() function on any search words you are looking for before constructing the query. Though I recommend putting the data into the database exactly as is, (but use mysql_real_escape_string() to escape it to hinder sql injection attempts). Then use htmlspecialchars() when you are printing the data to the browser.

 2009-03-07 00:35:16

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL