0

I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.

My database connection is made prior to this query. I have the following:

$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);


mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );

With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?

UPDATE

Error spit out by MySQL: you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1

UPDATE #2 Here's the echo'd query:

UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'
Improve this question
10
  • What's the syntax error? Commented Nov 23, 2013 at 6:10
  • Also show the final SQL query string. Commented Nov 23, 2013 at 6:11
  • @ThorpeObazee I've updated my original post. Commented Nov 23, 2013 at 6:14
  • Can you echo the query? Commented Nov 23, 2013 at 6:15
  • 2
    Read about mysqli_prepare() and mysqli_stmt_bind_param() at php.net. Commented Nov 23, 2013 at 6:23

1 Answer 1

Reset to default
1

Use a parametrized query:

$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link)); 
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);

Manual

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It specifies that the types of the parameters are string, string, and integer. Isn't that clear from the documentation?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.