Monday, 3 September 2018

My php submit to mysql form does not work if there is a single quote between the text

Here is my html page:

<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>
Here is Java script to run web.php on submit
$(document).ready(function() {
$('form').submit(function(msg) {
    $.post("web.php",$(this).serialize(),function(data){
    });
    $( 'form' ).each(function(){
this.reset();
});
return false;
and finally here is my web.php to process the form content.
$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$webbox = $_POST['web'];
 $codebox=$_POST['customerCode'];
 $commentbox=$_POST['comments'];
 $discount=$_POST['discount'];
 $task=$_POST['taskbox'];
 $clear=$_POST['clearbox'];
  $user=$_POST['user'];

if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
 {
    $query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }

 else if ($codebox!="" && $webbox!="" )
 {
    $query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
 else if ($codebox!="" && $discount!="" )
 {
    $query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
else if ($codebox !="" && $task!="")
{

$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{

$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
So when we put TAScode and comments it should update the comments table. It is working fine as long we don't use single quotation ' in text. i.e. if we write "We didn't do this" then form doesn't update database.
Any help will be much appreciated. Thanks
Use mysqli_real_escape_string()
$comments = mysqli_real_escape_string($mysqli, $_POST['comments']);
$customerCode = mysqli_real_escape_string($mysqli, $_POST['customerCode']);
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$customerCode', '$comments');";

$web = mysqli_real_escape_string($mysqli, $_POST['web']);
$discount = mysqli_real_escape_string($mysqli, $_POST['discount']);
$query .= "UPDATE webdiscount SET web = ('$web'),discount=('$discount') where customerCode = ('$customerCode');";

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)