stackoom
  简体   繁体   中英

My php form submit to mysql doesn't work if there a single quotation in between text

 原文  2013-12-18 11:44:43       php/ mysql/ forms/ syntax/ form-submit

Question

Here is my html page: 

<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>

Here is Java script to run web.php on submit 

$(document).ready(function() {
$('form').submit(function(msg) {  
    $.post("web.php",$(this).serialize(),function(data){       
    });
    $( 'form' ).each(function(){
this.reset();
});
return false;

and finally here is my web.php to process the form content. 

$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$webbox = $_POST['web'];
 $codebox=$_POST['customerCode'];
 $commentbox=$_POST['comments'];
 $discount=$_POST['discount'];
 $task=$_POST['taskbox'];
 $clear=$_POST['clearbox'];
  $user=$_POST['user'];


if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
 {
    $query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }

 else if ($codebox!="" && $webbox!="" )
 {
    $query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
 else if ($codebox!="" && $discount!="" )
 {
    $query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
else if ($codebox !="" && $task!="")
{

$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{

$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();

So when we put TAScode and comments it should update the comments table. It is working fine as long we don't use single quotation ' in text. ie if we write "We didn't do this" then form doesn't update database.

Any help will be much appreciated. Thanks

3 answers

solution1
 2  2013-12-18 12:03:49

The problem is because you pass unescaped single quotes to your SQL query. For instance, if $_POST['customerCode'] contains We didn't do this your query will look like: 

INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')

You see the extra quote that mangles your SQL statement? You can prevent this by using mysqli::real_escape_string or better, by switching to prepared statements. Your query will look like this: 

$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();

BTW, you should really check if those POST-variables are present using isset or empty , otherwise you'll get an error if those are not passed.

solution2
 0 ACCPTED  2013-12-18 11:49:09

Use mysqli_real_escape_string() 

$comments = mysqli_real_escape_string($mysqli, $_POST['comments']);
$customerCode = mysqli_real_escape_string($mysqli, $_POST['customerCode']);
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$customerCode', '$comments');";

$web = mysqli_real_escape_string($mysqli, $_POST['web']);
$discount = mysqli_real_escape_string($mysqli, $_POST['discount']);
$query .= "UPDATE webdiscount SET web = ('$web'),discount=('$discount') where customerCode = ('$customerCode');";

solution3
 -1  2013-12-18 11:46:45

Use mysqli_real_escape_string() Read this

So the code would be 

$codebox=mysqli_real_escape_string($con, $_POST['customerCode']);

etc...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question text-transform doesn't work with post form submit php form submit doesn't work in php PHP / MySQL: Login form doesn't work PHP Script doesn't work on my form My PHP/HTML form doesn't work Symfony3/PHP7 Form submit doesn't work PHP & AJAX - Submit form doesn't work because of AJAX php login form submit button doesn't work php sessions doesn't work with form when submit button is clicked ajax to submit php form to database, ajax part doesn't work
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM