0

I'm having a weird issue for the last couple of weeks that I just can't figure out.

I have a textarea that's triggered on a KeyUp to push it's contents to a insert page through jQuery Ajax like so:

$('body').on('keyup', '.dbDriven', function() {
        var val = $(this).val();

        $.ajax({url: '/dbUpdate.inc.php',type: "GET",data:
            {
                val: val
            }
        }).done(function ( data ) {
                    console.log(data);
        });
});

On the dbUpdate.inc.php I do this:

<?php
$value = mysql_real_escape_string($_GET['val']);

$query = "UPDATE table SET column = '".$value."' WHERE a = ".$b;
mysql_query($query) or die(mysql_error());
?>

It all works perfect like it should, all text gets update in the right column in the right row. It only keeps throwing a syntax error when I have a single quotation mark ('), which should be escaped by mysql_real_escape_string (Addslashes doesn't work either). Am I missing something or is there any weird behaviour I should be looking for?

Code isn't actual production code, but simplified for this post.

Improve this question
4
  • 1
    Where do you initialize $b in your update request ? Commented Apr 4, 2014 at 12:57
  • Shouldn't $b be covered by single quotes to make the SQL query become : UPDATE table SET column = '$value' WHERE a = '$b'. Without the single quotes, your SQL query is incomplete. Commented Apr 4, 2014 at 13:01
  • The WHERE statement is simplified to save some unnecessary code, doesn't work like that in real life. Commented Apr 4, 2014 at 13:14
  • It actually doesn't occur on Chrome but does on Safari, so seems like it's not a server side problem but a client-side issue. Safari can't send GET variables with quotes? Is there anyway to work around this? Commented Apr 4, 2014 at 14:13

3 Answers 3

Reset to default
2

mysql_query is deprecated with mysqli or PDO you won't bother with this kind of issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It's kind of an answer : using PDO or mysqli will solve his problem
more an hint then a solution though
2

Better to add addslashes

$value = addslashes($_GET['val']);

Then you can go for the escape string

mysql_real_escape_string($value);

Keep in mind that mysql_* functions are deprecated so better you use mysqli_* functions or PDO statements.

Improve this answer

3 Comments

& mysql_* functions are deprecated, use mysqli instead.
@Brovoker I have added it on my ans...you have commented while Iam typing..Anyway thanks for the suggestion
Adding addslashes doesn't give much of a difference. Change to mysqli, but doesn't help either. Need to read up on PDO before implementing that, but this issue should be solveable through mysqli_query right?
0

I advise you to use PDO, specifically the prepare statement.

$sql = 'UPDATE table SET column = :value WHERE a = ".$b';
$sth = $dbh->prepare($sql);
$sth->execute(array(':value' => $_GET['value']));

Find more info on pdo and the prepare statement. http://www.php.net/manual/en/pdo.prepare.php

Improve this answer

2 Comments

Great! Thanks, will look into that, but can't implement this right away, will need to read up on this first. Should still be able to solve this problem through using mysqli right?
PDO and MySQLi try to achieve quite the same thing. There's a nice compact comparison between both on http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.