I have a registration system which requests a users name. Some people have an apostrophe in their surname and it's preventing the data from being written to the MySQL database table (e.g. O'Hare).
I am using mysql_real_escape_string which is removing the apostrophe from the string. This would be fine except I need to use the value with the apostrophe against a Web Service, otherwise the Web Service will return false.
I was thinking I could do the name check with the Web Service before using mysql_real_escape_string, but could this present a security flaw? Or do SOAP Web Services already do their own checks for clean inputs?
Or is there a better way of passing through the variable whereby PHP retains the apostrophe but still keeps it secure and MySQL can accept it?
You should show us some code, because
mysql_real_escape_string will not remove an apostrophe, but only escape them.
O'Hare will become
O\'Hare so that it can be inserted as a string:
'O\'Hare'. Upon retrieval from the database, your value should still be the original
So, if the apostrophe is 'lost' there likely is an error somewhere else in your program logic.
The other option is to switch from using the MySQL library to the MySQLi or PDO library for accessing your database. The latter two support prepared statements. Prepared statements are generally thought as being the best practice for querying your database.
mysql_real_escape_string() will not remove apostrophes.
Your problem is likely on the output side, or some other function messing with the input.
You need to have a database connection open before you use
mysql_real_escape_string or it will malfunction.