0

Whenever I submit a form to the database it runs this bit:

<?php
include('connect.php');
$title =  mysqli_real_escape_string($link, $_POST['title']);
$subtitle = mysqli_real_escape_string($link, $_POST['subtitle']);
$etad =  mysqli_real_escape_string($link, $_POST['etad']);
$author =  mysqli_real_escape_string($link, $_POST['author']);
$Author_URL = mysqli_real_escape_string($link, $_POST['Author_URL']);
$URL =  mysqli_real_escape_string($link, $_POST['URL']);
$sql = "INSERT INTO posts (title, subtitle, etad, author, Author_URL, URL) VALUES ('" . $title . "', '" . $subtitle . "', '" . $etad . "', '" . $author . "', '" . $Author_URL . "', '" . $URL . "')";
if (!mysqli_query($link,$sql)) { die('Error: ' . mysqli_error($link)); }
header("Location: https://www.atheistunlimited.com/beta/index.php?post=success");
?>

But if I store try to store a word with an apostrophe it gets distorted. (EX: Don't turns into Don’t)

How would I be able to securely store and retrieve a strings with an apostrophe?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • 2
    That is an encoding issue. That is probably an MS quote, not a standard quote. Is your table UTF8, and is your connection UTF8? – chris85 Apr 17 '18 at 16:54
  • 1
    Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Apr 17 '18 at 16:56
  • 1
    I was about to write what you wrote @chris85 you basically took the words right outta me mouth. – Funk Forty Niner Apr 17 '18 at 16:56
  • *"How would I be able to securely store and retrieve a strings with an apostrophe?"* - That "bit" makes this post too broad. – Funk Forty Niner Apr 17 '18 at 16:59
  • As @AlexHowansky somewhat alluded to in his comment, prepared statements are your friend here. – Powerlord Apr 17 '18 at 17:29
  • I changed my connection and my table to UTF8 and it fixed my problem. – Devon Stuper Apr 17 '18 at 17:50

0 Answers0