How to store input text value or text area value with & symbol and special characters?

Question

I have already checked with htmlentities, htmlspecialchars, mysql_real_escape_string but nothing helped me.

I just want to save "Hello my name is john & my native is chennai"

when i tried to save this, only "Hello my name is john " is saved.

what should i do to store & symbol from php form to mysql database?

Update with sample code: Let the input field be like,

<input type="text" name="product_desc" />

and getting values in php be like

$product_description = htmlentities($_POST['product_desc']);
$product_description2 = htmlspecialchars($_POST['product_desc']);

I've posted an example script below; modify to suit and welcome to ["prepared statements"](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) ;-) — Funk Forty Niner, May 24 '15 at 15:20

score 2 · Answer 1 · answered May 24 '15 at 15:17

Use prepared statements. See reference(s) below.

Here is a script that I use (pulled from one of my libraries) and it works, even with the ampersand (pre-tested) and make sure the column is varchar.

Pre-test entered "John & me" in DB successfully.
You will need to modify it to suit your inputs etc.

-mysqli with prepared statements method

<!doctype html>
<head></head>
<title></title>

<body>
    <form action="<?php echo htmlentities($_SERVER["PHP_SELF"]); ?>" method="post">
    <p><strong>Name: </strong>
    <input name="name" type="text" width="50">     
    </p>
    <p><strong>Email: </strong>
    <input name="email" type="text" width="50" /></p>
    <p><input type="submit" name="submit" value="Submit" /></p>
    </form>
</body>
</html>

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';


$con = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($con->connect_errno > 0) {
  die('Connection failed [' . $con->connect_error . ']');
}

if( isset($_POST['submit']) 
    && !empty($_POST['name']) 
    && !empty($_POST['email']) ){


/* ===================== not all parts needed, modify to suit ======================= */

$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // Not a valid email
    $error_msg = '<p class="error">The email address you entered is not valid.</p>';
echo $error_msg;
exit;

}

/* ===================== not really needed, just querying ======================= */

$checkemail = mysqli_real_escape_string($con, $_POST['email']);

$query = "SELECT * FROM yourTable WHERE email = '".$checkemail."'";

$result = mysqli_query($con, $query) or die(mysqli_error($con));

if (mysqli_num_rows($result) > 0) {

   echo $checkemail . " already exists in DB";
   exit;
}

    $name = stripslashes($_POST['name']);
    $name = mysqli_real_escape_string($con, $_POST['name']);
    $email = mysqli_real_escape_string($con, $_POST['email']);

$sql = mysqli_prepare($con, "INSERT INTO yourTable 
                         (id, name, email)
                          VALUES (null,?,?)");
    $sql->bind_param("ss", $name, $email);
    $sql->execute();

if($sql){
   echo "Success!";
}

}

else{
echo "Fill in all fields.";
}

Reference(s):

@JRameshFernandez No, you cannot mix `mysql_` functions with any other MySQL API. What I've provided is a full solution, you just need to replace the `xxx` in the DB connection codes with your own and the other parts for your form etc. — Funk Forty Niner, May 24 '15 at 15:29
@JRameshFernandez I have to leave for a while, so if you have any problems, let me know and I'll see if I can help you when I return. — Funk Forty Niner, May 24 '15 at 15:30

score 1 · Accepted Answer · answered May 24 '15 at 15:04

There is nothing special about the & character in a string in php.

The only way you can get the result you get (everything after the & is not stored...), is when you send the data to your php script and you are building the data string manually without encoding it properly.

If you use javascript to make your POST request, you would need to encode your values using encodeURIComponent() before you add them to the query string.

If you use php (cURL for example) to make your POST request, you need urlencode() to correctly encode the value before you add it to the query string.

And to store any string with any kind of characters in a database, the recommended method is to use a prepared statement with bound parameters. However, that does not seem to have anything to do with your problem.

Thank you, I'll try it in my project asap. – J Ramesh Fernandez May 24 '15 at 15:07 — J Ramesh Fernandez, May 24 '15 at 15:07

score 0 · Answer 3 · answered May 24 '15 at 14:50

0

Have you tried using HTML Entities?

&amp; = $

Info about all the Entities: http://www.w3schools.com/html/html_entities.asp

answered May 24 '15 at 14:50

inubs

478
2
15

1

OP: *"I have already checked with htmlentities, htmlspecialchars, mysql_real_escape_string but nothing helped me."* - Read the question again. Plus, `& = $` - `&` stands for "ampersand" `&`. *""Hello my name is john `&` my native is chennai""* – Funk Forty Niner May 24 '15 at 14:50
yes i tried and i have mentioned it in my question itself – J Ramesh Fernandez May 24 '15 at 15:08

How to store input text value or text area value with & symbol and special characters?

3 Answers3