Apostrophe issue

I have built a search engine using php and mysql.

Problem: When I submit a word with an apostrophe in it and return the value to the text field using $_GET the apostrophe has been replaced with a backslash and all characters after the apostrophe are missing.

Example: Submitted Words: Just can't get enough

Returned Value (Using $_GET): Just can\

Also the url c开发者_C百科omes up like this:search=just+can%27t+get+enough

As you can see the ' has been replaced with a \ and get enough is missing.

Question: Does anybody know what causes this to happen and what is the solution to fix this problem?

The code: http://tinypaste.com/11d62

If you're running PHP version less than 5.3.0, the slash might be added by the Magic Quotes which you can turn off in the .ini file.

From your description of "value to the text field" I speculate you have some output code like this:

 Redisplay
 <input value='<?=$_GET['search']?>'>

In that case the contained single quote will terminate the html attribute. And anything behind the single quote is simply garbage to the browser. In this case applying htmlspecialchars to the output helps.

(The backslash is likely due to magic_quotes or mysql_*_escape before outputting the text. I doubt the question describes a database error here.)

Update: It seems it's indeed an output problem here:

  echo "<a href='searchmusic.php?search=$search&s=$next'>Next</a>";

Regardless of if you use single or double quotes you would need:

  echo "<a href='searchmusic.php?search="
      . htmlspecialchars(stripslashes($search))
      . "&s=$next'>Next</a>";

(Notice that using stripslashes is a workaround here. You should preserve the original search text, or disable the magic_quotes rather.)

Okay I forgot something crucial. htmlspecialchars needs the ENT_QUOTES parameter - always, and in your case particularly:

// prepare for later output:
$search = $_GET['search'];
$html_search = htmlspecialchars(stripslashes($search), ENT_QUOTES);

And then use that whereever you wanted to display $search before:

  echo "<a href='searchmusic.php?search=$html_search&s=$next'>Next</a>";

Single quotes are important in PHP and MySQL.

A single quote is a delimeter for a string in PHP, for example:

$str = 'my string';

If you want to include a literal quote inside a string you must tell PHP that the quote is not the end of the string. It is escaped with the backslash, for example:

$str = 'my string with a quote \' inside it';

See PHP Strings for more on this.

MySQL operates in a similar way. An example query might be:

$username = 'andyb';
$quert = "SELECT * FROM users WHERE user_name = '$username'";

The single quote delimits the string parameter. If the $username included a single quote, this would cause the query to end prematurely. Correctly escaping parameters is an important concept to be familiar with as it is one attack vector for breaking into a database - see SQL Injection for more information.

One way to handle this escaping is with mysql_real_escape_string().