Apostrophe Frustrations

[ace2109]

Hey guys,
Each time I try to use the form below to add something to a mysql database it doesn't work, I have figured out that it doesn't like apostrophes and won't add anything to the database with one in it.

Form Code:

 <link rel="stylesheet" href="http://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css" />
   <script src="http://code.jquery.com/ui/1.10.3/jquery-ui.js"></script>
  <script src="http://code.jquery.com/jquery-1.9.1.js"></script>
 

  <script>


  function focusTextBox(){
  var a=2;
 var tb = document.getElementById('datepicker');
 if(a==2){
 $(document).ready(function() {
    $( "#datepicker" ).datepicker({ minDate: 0, maxDate: "+18M +0D", showOtherMonths: true,
      selectOtherMonths: true, dayNamesMin: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'],showButtonPanel: true, dateFormat: 'yy-mm-dd' });
  });
}else{

 $(document).ready(function() {
    $( "#datepicker" ).datepicker({ minDate: 1, maxDate: "+18M +0D", dateFormat: 'yy-mm-dd' });
  });

}
 tb.focus();



}
  </script>
<?

//header('Refresh: 20');
$username="*";
$password="*";
$database="*";
$localhost="*";

$editor = "
<option value='phil'>Phil Hopper</option>
<option value='robyn'>Robyn Adamson</option>
<option value='patrick'>Patrick O'Kane</option>
<option value='andrew.robinson'>Andrew Robinson</option>
<option value='Other'>Other</option>
";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>

</head>

<body>

<form id="form1" name="form1" method="post" action="insert_project.php">

<table width="200" border="1">
<tr>
    <td>Project Name</td>
    <td>
            <input type='text' name='project_name' value='' />
    
              </tr>
  <tr>
    <td>Client Name</td>
    	<td>	<input type='text' name='client_name'input value=''>
       
        
    </td>
     </tr>
    <tr>
    <td>Client Contact Number</td>
    	<td>	<input type='text' name='client_tel'input value=''>
       
        
    </td>
     </tr>
     <tr>
    <td>Client Email</td>
    	<td>	<input type='text' name='client_email'input value=''>   
    </td>
     </tr>
      <tr>
    <td>Short Project Description</td>
    <td><textarea name="description" cols="17" rows="5"></textarea></td>
          </tr>
     <tr>
    <td>Logos</td>
    <td>
    <input type='text' name='logos'input value=''>
                        
              </tr>
  <tr>
    <td>Deadline</td>
      
  	<td>	 <div data-role="fieldcontain">
            <input type="date" name="deadline" id="deadline" value="date" />
       </div> 
       
        
    </td>
 </tr>
  <tr>
    <td>BNL Deadline</td>
      
  	<td>	 <div data-role="fieldcontain">
            <input type="date" name="bnl" id="bnl" value="date" />
       </div> 
       
        
    </td>
 </tr>
 <tr>
    <td>Project Manager</td>
    <td>
    <input type='text' name='manager'input value=''>
                        
              </tr>
  <tr>
    <td>Filming</td>
    <td>
    <input type='text' name='filiming'input value=''>
                        
              </tr>
  <tr>
    <td>Editor</td>
    <td>
     <select name="editor" id="editor">
           <option value=""></option>
          <? echo "$editor"?>
        </select>             
              </tr>
   <tr>
    <td>Dropbox Folder</td>
    <td>
    <input type='text' name='dropboxfolder'input value=''>
                        
              </tr>
   <tr>
    <td>Music Theme</td>
    <td>
    <input type='text' name='music'input value=''>
                        
              </tr>
   <tr>
    <td>Songs per project</td>
    <td>
    <input type='text' name='songs'input value=''>
                        
              </tr>
              
   <tr>
    <td>Clients expected time</td>
    <td>
    <input type='text' name='client_time'input value=''>
                        
              </tr>
              <tr>
    <td>Expected Outcome</td>
    <td>
    <input type='text' name='outcome'input value=''>
                        
              </tr>
                <tr>
    <td>Notes</td>
    <td><textarea name="notes" cols="17" rows="5"></textarea></td>
          </tr>
</table>
<? mysql_close();?>
<input type="submit" name="Submit" id="Submit" value="Submit" />
</form>

</body>
</html>

I was recommended to add this code to fix the issue but it doesn't work either.

function mysql_real_escape_array($array) {
    foreach ($array as $key => $value) {
      if (is_array($value)) $array[$key] = mysql_real_escape_array($value);
      else $array[$key] = mysql_real_escape_string($value);
    }
    return $array;
  }

  if (!empty($_GET)) $_GET = mysql_real_escape_array($_GET);
  if (!empty($_POST)) $_POST = mysql_real_escape_array($_POST);
  if (!empty($_REQUEST)) $_REQUEST = mysql_real_escape_array($_REQUEST);

Just hoping someone can help me out guys as its driving me nuts

 

[Dj_Jestar]

Don't escape everything before you know you are going to need it. That's reinventing the whole magic quotes endemic.

Where is the code that actually throws the error?

 

[visibleman]

Hey guys,
.... it doesn't work...

What doesn't work? What errors are you receiving? And as Jestar mentions, it helps to post the code where the errors are being produced (likely insert_project.php).

But i suspect it's MySQL that is throwing the errors, in which case you can either bodge it using htmlspecialchars(), escaping etc (you shouldn't be using magic quotes, it's massively flawed hence why it's depreciated and been removed for newer versions of PHP) or, as mentioned in your previous thread, switch to using prepared statements (PDO/MySQLi).

 

[GravyMonster]

I remember when I was a junior, if I ever said 'it doesn't work' without an explanation of what I had attempted I got shot in the back of the head with a nerf gun.

You will learn, one way or the other, to always investigate your issues before raising them with others.

 

[Haircut]

This feels like an opportune time to post this link.
http://ericlippert.com/2014/03/05/how-to-debug-small-programs/

OP, have a read, follow the steps and then ask here if you still have a problem.

 

[ace2109]

Sorry for the delay in replying guys, there is no errors coming up it simply fails to post the information into the database. I have included the code from the insert_project.php file below.

<?
$project_name = $_POST['project_name']; 
$client_name = $_POST['client_name'];
$client_tel = $_POST['client_tel'];
$client_email = $_POST['client_email'];
$description = $_POST['description'];
$logos = $_POST['logos'];
$deadline = $_POST['deadline'];
$bnl = $_POST['bnl'];
$manager = $_POST['manager'];
$filiming = $_POST['filiming'];
$editor = $_POST['editor'];
$dropboxfolder = $_POST['dropboxfolder'];
$music = $_POST['music'];
$songs = $_POST['songs'];
$client_time = $_POST['client_time'];
$outcome = $_POST['outcome'];
$notes = $_POST['notes'];

error_reporting(E_ALL);
ini_set('display_errors', ‘1’);


//header('Refresh: 20');
$username="*";
$password="*";
$database="*";
$localhost="*";

mysql_connect($localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");


$query_insert = "INSERT INTO projects VALUES ('$project_name','$client_name','$client_tel','$client_email','$description','$logos','$deadline','$bnl','$manager','$filiming','$dropboxfolder','$editor','$music','$songs','$client_time','$outcome','$notes')";
mysql_query($query_insert);  

$to = "[email protected]";
$subject = "$project_name";

$message ="$manager has filled in the Project form.\n 
Project Name:		$project_name\n 
Client Name: 		$client_name\n
Client telephone:   $client_tel\n
Client Email:       $client_email\n
Description:		$description\n 
Logos: 		        $logos\n
Client deadline:    $deadline\n
BNL deadline:       $bnl\n
Project Manager:	$manager\n 
Filming: 		    $filiming\n
Dropbox Folder: 		    $dropboxfolder\n
Music:              $music\n
N0. Songs:		    $songs\n 
Logos: 		        $client_time\n
Expected Outcome:   $outcome\n
Notes:              $notes\n
 ";

$from = "[email protected]";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers);


mysql_close();

header( 'Location: index.php' ) ;
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
</head>

<body>

</body>
</html>

 

[visibleman]

Have you checked the PHP error log?
Similarly have you echo'd/print'd (ie - print $query_insert;) the SQL query, checked it for errors and ran it manually on MySQL (using PHPMyAdmin or similar)?

As said though, it's likely to be a query issue and switching to PDO/MySQLi and using prepared statements will massively help with that.

On another note, it's worth also checking and logging the output of the mail() function in the event that it doesn't send/errors-out.

 

[kaku]

PLEASE never try to poke random input into your DB by building up a query string. Whilst being a pretty significant security risk it also quickly becomes a mess and impossible to debug.

You can find a pretty good guide for getting started with PDO here: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

The section on prepared statements should be particularly useful, and always make sure to disabled prepared statement emulation (PDO::ATTR_EMULATE_PREPARES) because otherwise you'd be throwing away a lot of the security benefits.