I have a form processed with PHP. It contains a field for Notes about the client job. The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the string in the database, so I have all of the notes up until it encounters the ' then that's the end of the notes.
I realise there are things like mysqli_ and PDO, but it's the busy season at the moment and I could just do with quickly fixing this before doing a complete update/overhaul in January.
Any idea why it isn't working? Code included. It doesn't matter where I put the mysql_real_escape_string(), it doesn't work anywhere.
FYI: The table column is TEXT. And there are a couple of other fields hence the foreach
// SELECTS AND CONNECTS TO SERVER/DB
include_once('config/db.inc.php');
// CONVERT ALL $_POST['name'] to $name and clean/prep for mysql insertion
foreach($_POST as $key => $value ) {
$$key = mysql_real_escape_string($value);
}
// UPDATE CLIENT JOB NOTES
$query = "UPDATE client_list SET bookingNotes='$bookingNotes' WHERE id='$CID'";
mysql_query($query, $conn) or die(mysql_error());
TIA
Edit for the responses below:
$bookingNotes and $CID are define by the form variables $_POST['bookingNotes'] and $_POST['CID'] where the foreach essentially removes the "_POST" part. (that's the whole $$key = $value part)
As mentioned, I appreciate mysqli_ and PDO but am currently unable to learn, update and implement those system wide at the moment. This runs locally and my current version of PHP 5.4.1 supports the function. I understand PDO is better, but for now that is not an option so please don't belittle me with "do it properly" or "learn how to code". That isn't the issue at hand.
I know what's happening and where and why - mysql is treating the ' as and end of the string. But I don't know why it's happening when I believe the function should escape the ' and allow it into the database.
To surmise, this is what happens.
"Today is very grey and it's raining" is entered into the form as $bookingNotes. The script then inputs that into the TEXT column of the database. But what appears in the database is;
"Today is very grey and it"
TIA and Thanks for the responses so far.
Thank you to everyone with helpful input.
It's fixed now, I honestly don't know how.
I removed the '' on the SQL statement (WHERE bookingNotes='bookingNotes') to force an error.
I also checked (echoed) the contents of $bookingNotes, which was the POST data AFTER mysql_real_escape_string() and it had the full string with apostrophes escaped (slashed)
I removed the echo, put the SQL back, and it all worked as it should / as expected.
I backed up the script before I started working, I have since compared the "new" working one with the original one that failed and they are exactly the same, no missing characters or extra/missing whitespace, exactly the same. o_O
So I don't know what happened there!
Thanks for the input anyway.