canceling out apostrophes from text used to update database.

[Russia]

Hello, im trying to update my database with a paragraph of text in a texbox.

 

The thing is my paragraph has apostrophes

 

Look:

In the run up to the return of the Wilderness, we've released a new wallpaper depicting a green dragon, plus a couple of 'getting started' guides about the Wilderness and free trade.

 

It doesn't want to update my table and it shows the old paragraph.

 

Here is how my update database looks like.

 

<?php
if (isset($_POST['Submit'])) { 
for($i=0;$i<$count;$i++){
$month = $_POST['month'];
$date = $_POST['date'];
$message = $_POST['message'];



$title = $_POST['title'];
$monthday = $month[$i]."<br>".$date[$i];
$sql1="UPDATE $tbl_name SET monthday='$monthday', month='$month[$i]', date='$date[$i]', message='$message[$i]', title='$title[$i]' WHERE id='$id[$i]'";
$result1 = mysql_query($sql1);
} 
header("location:update2.php");
}
?>

 

 

Can someone show me to to make it add the strip slashes to the $message variable.

 

Thanks Alot!

[Pikachu2000]

Since you're using MySQL, string type data needs to be escaped with mysql_real_escape_string

[Russia]

Iv tried it but it updates the table with the letter 'A'...

 

Can you show me the proper way of using it.

[Pikachu2000]

You first need to have already established the connection to your database, then you simply use it like any other function.

 

// db connection stuff already done by this point

$message = mysql_real_escape_string($_POST['message']);

[Russia]

I did it and now it just clears the value in the database

 

It makes it blank instead of keeping the old value.

 

Is there anything else I can do or use?

[Pikachu2000]

Looking at your code I can tell there's nothing in the variable anyhow. What's the for() loop supposed to be doing? Without seeing the form and more of the code, it's really hard to tell what's going on there. Post the current code.

[Russia]

Here Il post the whole code.

 

 
<?php
mysql_connect("localhost", "", "")or die("cannot connect");
mysql_select_db("test")or die("cannot select DB");

$tbl_name="test_mysql";
$sql="SELECT * FROM $tbl_name";
$result=mysql_query($sql);

$count=mysql_num_rows($result);
?>
<form name="form1" method="post" action="">
<tr>
<td>
<table width="100%" border="0" cellspacing="1" cellpadding="0">

<tr>
<td align="center"><strong>Row</strong></td>
<td align="center"><strong>Month  Date</strong></td>
<td align="center"><strong>Message</strong></td>
<td align="center"><strong>Title</strong></td>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center"><?php $id[]=$rows['id']; ?><?php echo $rows['id']; ?></td>
<td align="center"><input name="month[]" MAXLENGTH="3" size="3" type="text" id="month" value="<?php echo $rows['month']; ?>">
               <input name="date[]" MAXLENGTH="2" size="2" type="text" id="date" value="<?php echo $rows['date']; ?>">
</td>
<td align="center"><input name="message[]" size="125" type="text" id="message" value="<?php echo $rows['message']; ?>"></td>
<td align="center"><input name="title[]"  size="50"  type="text" id="title" value="<?php echo $rows['title']; ?>"></td>
</tr>
<?php
}
?>
<tr>

<td colspan="4" align="center"><br><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</td>
</tr>
</form>

<hr>

<?php
if (isset($_POST['Submit'])) { 
for($i=0;$i<$count;$i++){
$month = $_POST['month'];
$date = $_POST['date'];



$message = $_POST['message'];



$title = $_POST['title'];
$monthday = $month[$i]."<br>".$date[$i];
$sql1="UPDATE $tbl_name SET monthday='$monthday', month='$month[$i]', date='$date[$i]', message='$message[$i]', title='$title[$i]' WHERE id='$id[$i]'";
$result1 = mysql_query($sql1);
} 
header("location:update2.php");
}
?>   

[Russia]

Here is a video I made of what the problem is...

 

Its on youtube: 

 

Please look

[Russia]

Any luck my friends?

[BlueSkyIS]

i suspect the problem is with the display of the data in HTML. you'll need to format it properly or it will break HTML tags, including form elements. you probably need htmlspecialchars();

 

http://php.net/manual/en/function.htmlspecialchars.php

 

here is how I use it:

 

$sql = "SELECT some_text_field FROM some_table LIMIT 1";
$result = mysql_query($sql) or die(mysql_error());
list($some_text_field) = mysql_fetch_row($result);

// Display a form field or any HTML with this data:
$some_text_field = htmlspecialchars($some_text_field, ENT_QUOTES);
echo "<input type='text' name='some_text_field' value='$some_text_field' size='50'>";

[Pikachu2000]

From watching your video, I can now see you were using mysql_real_escape_string() on an array. It won't work like that. You need to use it on each string value in the query, or use it in combination with array_map.

 

So:

$sql1="UPDATE $tbl_name SET 
monthday='$monthday', 
month='$month[$i]', 
date='$date[$i]', 
message='" . mysql_real_escape_string($message[$i]) . "', 
title='" . mysql_real_escape_string($title[$i]) . "' 
WHERE 
id='$id[$i]'";