PHP - A Simple Query With Single And Double Quote Problem

I am trying to do the seemingly simple thing - replace all single quotes in text

str_replace ("'", "´", $text);

It does not replace anything.

I trying escaping single quote, using other similar functions - nope. Also tried to google

What I an doing wrong? Any help would ne much appreciated.

I am making a simple script for my friend that uses mod_rewrite, but for testing I don't use the mod_rewrite link.

The page is video.php
The extension is ?title=

I have having a problem when I type the title with a Single Quote in it(').
Example.
video.php?title=The-Sorcerer's-Apprentice
I have str_replace for the dash(-) to be replaced as a space, so that's not the problem. Here's my code.


<?php
if($_GET) {
$title="{$_GET['title']}";
$title = str_replace('_', ' ', $title);
$title = str_replace('-', ' ', $title);
if ($list = mysql_query("SELECT * FROM videos WHERE title='". mysql_real_escape_string($title) ."'") or die (mysql_error())); {
if(mysql_num_rows($list) > 0){
if (mysql_num_rows($list)) {
while($videos=mysql_fetch_array($list)) {
?>
<div id="content">
<center><h3><?php echo $videos['title']; ?></h3>
<object width="640" height="385"><param name="movie" value="<?php echo $videos['youtubelink']; ?>"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="<?php echo $videos['youtubelink']; ?>" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object>
<br/><br/><a onclick="javascript:history.go(-1)" href="#">Go Back</a>
</center>
</div>
<?php 
}
}
}
?>

I have a form that people can fill out, and then it echos the string, however right now they can't use single quotes. Below is how I have it settup.
Code: [Select]
$side = '<p>About Me:</p>
<ul>
    <li>Birth Date: October, 23rd, 2010</li>
    <li>Hometown: Rapid City, SD</li>
    <li>Height: 4\'</li>
    <li>Weight: 50lbs</li>
    <li>Foot Size: 4</li>
    <li>Favorite Movie: All of the Shrek Movies!</li>
    <li>Favorite Book: Winnie the Pooh Series</li>
    <li>Favorite Cartoon Character: Eeyore or Donkey from Shrek!</li>
    <li>Favorite TV Show: Anything on Animal Planet!</li>
    <li>Favorite Food: Hay</li>
    <li>Favorite Pro Sports Team: Rapid City Rush</li>
    <li>Favorite Mascot:  Nugget, of course!</li>
    <li>Favorite Game: Donkey Kong!<br />
    &nbsp;</li>
</ul>';
      if ($side != NULL){
         echo "<div class=\"grid_6\" id=\"tertiary\">
         $side
      </div>";
      }else{
 
  }
And I would be able to use $side = "whatever I want to write"; because then they would still need to escape the double quotes with \" if they wanted to put in a link or anything. How do I do this with allowing them to just use single quotes when they enter their data so they don't have to \' (escape the single quote)?

Thanks

This will have been posted before, but I can't find a solution that works.  Most people say to try mysql_real_escape_string, I have tried lots of variations and it doesn't seem to work.

Could anyone help with the below code?  It is part of a form that returns a syntax error when adding a single quotation mark e.g. entering "Bryan's" into the form causes the error.

I'd be really grateful for any assistance.

Steven

P.S. Before anyone mentions it, the mysql connect does work - I just haven't included the full page of code.

Code: [Select]

mysql_connect($dbserver, $dbusername, $dbpassword);
mysql_select_db($dbname);

$sitetitle = htmlentities($_POST[sitetitle]);

$query = mysql_query("UPDATE site_settings SET sitetitle = '$sitetitle'");

echo("<b>Settings Updated!</b>");

Hi,

I am able to parse php variable in double quote but not in single quote.

How can I parse in single quote.

Following example shows 2 results and I want same result in both.

First Name :    Zohaib
First Name :    $firstname

Code: [Select]
// Connecting, selecting database
$link = mysql_connect('localhost', 'root', 'password');
mysql_select_db('dbname');

// Performing SQL query
$query = 'SELECT first_name FROM tablename';
$result = mysql_query($query);

// Printing results in HTML
while ($row = mysql_fetch_assoc($result)) {
$firstname=$row['first_name'];
}

echo"<table>
<tr>
<td>First Name : </td>
<td>$firstname</td>
</tr></table>";

echo'<table>
<tr>
<td>First Name : </td>
<td>$firstname</td>
</tr></table>';
What are the changes I need to do to achieve same result.

Any solution ?

- Thanks.

Hi
I have a simple form and when the user submits, php is putting a \ before every single quote entered in the field. So for example, if a user enters O'Neill, once i do
$lastName = $_POST["lastname"];

$lastName comes back as: O\'Neill

is there some way I can turn this off?

for print html : What's Better, Faster and Optimized ?!?

Code: [Select]
echo "<tr height=\"22\">
    <form action = \"{$URL}/admin/edit.php\" method=\"POST\">
      <input type=\"hidden\" name=\"login\">
      <td width=\"15%\" bgcolor=\"$bgcolor\">&nbsp;<input type = \"text\" name = \"login\" value=" . $f['login'] . "></td>
      <td width=\"15%\" bgcolor=\"$bgcolor\">&nbsp; <input type = \"password\" name = \"password\" value=" . $f['pass'] . "> </td>
    </form>
        </tr>";

With PHP Method 2 : ( single )

Code: [Select]
echo ' <tr><form action = "' . URL . '/admin/editadmins.php" method="POST"> ';
 echo ' <td align="left" valign="top"><input type = "text" name = "login" value = "' . $f['login'] . '"></td>';
 echo ' <td align="left" valign="top"><input type = "password" name = "password" value = "' . $f['pass'] . '"></td></form></tr>';

Method 3 : (With Html And Php echo )

Code: [Select]
<tr height="22">
<form action = "../admin/editadmins.php" method="POST">
<td align="left" valign="top"><input type = "text" name = "login" value = "<?PHP echo $f['login']; ?>"></td>
<td align="left" valign="top"><input type = "text" name = "password" value = "<?PHP echo $f['pass']; ?>"></td>
</form>
<tr>
Thanks.

Hi ppl,

I have problem in preparing the sql statement which requires attribrute from another sql statement.

This is the scenario as in PHP code.

$sql1="SELECT attrb1 from table1";

$sql2="SELECT attrb2 fromt table2 where attrb3=".$sql['attrb1']";

What and where is the correct placement of these s'quotes or d'quotes should be?

Please help.
Thank you.

Hey,

If i have a string which contains numbers and symbols... such as 1:2:4  (its not always : for the symbol it changes)


Is there a function that can convert the numbers that are 9 or less to have a 0 infront of them such as:

01:02:04

(also this is not timestamp format - just normal strings)

I have:
{$content['size']} inside Code: [Select]
echo "";
I had to switch the quotes around because I added something else that required me to do so, so it now sits at this:
{$content["size"]} inside Code: [Select]
echo '';
Before I made the quote switch, it was echoing "Large", which is correct. Now after the switch, it echo's "{$content["id"]} ". Why?!
I've tried 567568758654 different combinations of quotes and removing {} and stuff but non of them fix it. I don't even see why its suddenly not even echoing! All I did was quote reverse!

I have a navigation list displaying which is a mix of html and php, everything is working fine however now I want to convert this block of code into a function but am having major problems with quotes.

The line of code I currently have is 

$data = $db->query("SELECT * FROM menu")->fetchAll(PDO::FETCH_ASSOC);

foreach ($data as $row) { ?>
     <li><a href="<?php echo $row['url']; ?>" title="<?php echo $row['title']; ?>"><?php echo $row['icon'] . ' ' . $row['header']; ?></a></li>

<?php
	}
?>

As I say everything works using the above but now I am trying to echo the full li out and am having major issues with single and double quotes.

I currently have 

echo "<li><a href='#' title='the title'><i class='fas fa-user site-nav--icon'></i> Help</a></li>";

Now I am trying to use the $row['url'], $row['title'], $row['icon'] & $row['header'] as per the top example but I cannot get the combination of quote marks correct, whether to use double, single or a combination.

I would be grateful if someone could suggest the correct syntax for the a tag then I can work through the rest.

Thanks

SQLITE has syntax like

' WHERE MATCH ( 'colname : "one two" )' 
 //My pdo sql query 
$sql .= MATCH 'colname : "?" )'; $pdo->bindValue(1,$text);`

But Pdo placeholders can't have quotes around them. So this does not work. I tried a million variations of the placeholder syntax "?" "" ? "" """ ? """ \" ? \" . But nothing works.

Errors I get : General error: 1 near "?" | 25 column index out of range . Also for this query : MATCH  ( names: ? AND categoryids: ? ) , the error is: `General error: 1 unrecognized token: ":"`

Would really love some help here.. Thanks

Edited March 29, 2019 by requinix
removing bad styling

Hi --

This query seems to be problematic because the UPDATE is not being performed.  Could you please take a gander and let me know what is the problem?

BTW, the table "teamy" does contain 630 records.  Thanks in advance!

$sql = "SELECT COUNT( * ) AS records FROM teamy" ;
$result = mysql_query( $sql ) ;
if ( ! $result )
{ die ( __line__ . "_teamy_" . mysql_error() ) ; }

$a_count = mysql_fetch_assoc($result);
if ( $a_count['records'] = 0 )
{
   echo "No records found in teamy." ;
}
else
{ 
   /*** Update r_rost_rma ***/
   $sql = "UPDATE r_rost_rma 
             JOIN teamy
               ON r_rost_rma.student_id = teamy.student_id
              SET r_rost_rma.teachername = teamy.team
            WHERE RTRIM( UPPER( r_rost_rma.localcourse ) ) = 'HOMEROOM'" ;

   $result = mysql_query ( $sql ) ;
   if ( ! $result )
   { die ( __line__ . "_update_r_rost_rma_" . mysql_error() ) ; }
}

I'm building a query that searches by database and returns matching (or almost matching) terms.  That part isn't the problem- I have it up and working.  The problem is that I'm trying to narrow down the search results, and it's not working.

Here's the query that works:
Code: [Select]
$result = mysql_query("SELECT * FROM auctions WHERE  name LIKE '%".$searchterm."%' OR Address LIKE '%".$searchterm."%' OR state like '%".$searchterm."%'");
Here's the query that DOESN'T works:
Code: [Select]
$result = mysql_query("SELECT * FROM auctions WHERE type='Cars' AND  name LIKE '%".$searchterm."%' OR Address LIKE '%".$searchterm."%' OR state like '%".$searchterm."%'");
What I'm trying to do is say "give me all the results from type:Cars.  Instead, it ignores the WHERE type='Cars' statement, and returns results for all types.  It frustrates me because I use the same exact query in a thousand other places, and it works everywhere else.  For example:

Code: [Select]
$sql = "SELECT * FROM auctions WHERE type='Boats' AND state='$v4' ORDER BY $v1 $v2";
works just fine.  I'm not exactly an expert on any of this, but I can see no logical reason why this works, but the Search code doesn't.  They appear in all ways identical, at least as far as query structure goes.  Can anyone spot where I screwed up?
Thanks!
Kyle

Hi,

I have written some code however when I echo the query it runs it twice...

Quote

SELECT `description`, `fulldescription` FROM `productdbase` WHERE `keywords` LIKE '%table%'something found.SELECT `description`, `fulldescription` FROM `productdbase` WHERE `keywords` LIKE '%table%'something found.


I only have the query once in my code. Any suggesions?

Code: [Select]
<?php
if (isset($_POST['keywords'])){
 $keywords = mysql_real_escape_string (htmlentities(trim($_POST['keywords'])));
}

$errors = array();

if (empty($keywords)) {
$errors[] = 'Please enter a search term';
} else if (strlen($keywords)<3) {
$errors[] = 'Your search must be three or more characters';
} else if (search_results($keywords) === false) {
$errors[] = 'Your search for '.$keywords.' returned no results';
}

if (empty($errors)) {

search_results ($keywords);

} else{
foreach($errors as $error) {
echo $error, '</br>';
}
}


    ?>


<?php
function search_results ($keywords) {
$returned_results = array();
$where = "";

$keywords = preg_split('/[\s]+/', $keywords);
$total_keywords = count($keywords);

foreach($keywords as $key=>$keyword) {
$where .= "`keywords` LIKE '%$keyword%'";
if ($key != ($total_keywords - 1)) {
$where .= " AND ";

}
}

$query_string = "SELECT `description`, `fulldescription`  FROM `productdbase` WHERE $where";
echo $query_string;
$query = mysql_query($query_string);



if ($results_num === 0) {
return false;
}else{
echo 'something found.';
}




}
?>