Error in MySQL syntax when trying to pass use the ' symbol when contained within data

Question

Possible Duplicates:
How can I prevent SQL injection in PHP?
Unable post text to MySQL using "Insert Into"

When passing Movie titles into MySQL database using PHP, I get this error:

You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 's Dreams' )' at line 10

Here is my code:

//Getting a list of all the users friends
$MyFriends=$facebook->api('/me/friends');

//Loop through friends array to identify each friend
$c=0;
while ($c<count($MyFriends['data']))
{
    $N=$MyFriends['data'][$c]['name'];
    $I=$MyFriends['data'][$c]['id'];
    mysql_query("INSERT INTO UserFriends
    (
        UserFBID, 
        FriendFBID,
        DisplayName
    ) VALUES
    (
        '$FBID', 
        '$I',
        '$N'
    ) ") or die(mysql_error()); 

    //Getting a list of friends each movie likes
    $friendId = "/" . $I . "/movies";
    $myFriendsMovies=$facebook->api($friendId);

    //Loop through to identify each movie
    $x=0;
    while ($x<count($myFriendsMovies['data']))
    {
        $r = $myFriendsMovies['data'][$x]['id'];
        $s = $myFriendsMovies['data'][$x]['name'];
        mysql_query("INSERT INTO LinkedMovies 
        (
            UserFBID, 
            MovieFBID,
            MovieName
        ) VALUES
        (
            '$I', 
            '$r',
            '$s'
        ) ") or die(mysql_error());         
        $x=$x+1;
    }
    $c=$c+1;
}

It seems the variable $s has picked up the movie 'Akira Kurosawa's Dreams' and keeps bombing out of the loop, with the above error.

Answer 1

$N=$MyFriends['data'][$c]['name'];

Should be:

$N = mysql_real_escape_string($MyFriends['data'][$c]['name']); // sanitize the data, do this for all external data input

Also:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Answer 2

You should use code like following mysql_real_escape_string function for safe sql queries and escape string before execute sql queries

//Getting a list of all the users friends
$MyFriends=$facebook->api('/me/friends');

//Loop through friends array to identify each friend
$c=0;
while ($c<count($MyFriends['data']))
{
    $N=mysql_real_escape_string( $MyFriends['data'][$c]['name'] );
    $I=mysql_real_escape_string( $MyFriends['data'][$c]['id'] );
    mysql_query("INSERT INTO UserFriends
    (
        UserFBID, 
        FriendFBID,
        DisplayName
    ) VALUES
    (
        '$FBID', 
        '$I',
        '$N'
    ) ") or die(mysql_error()); 

    //Getting a list of friends each movie likes
    $friendId = "/" . $I . "/movies";
    $myFriendsMovies=$facebook->api($friendId);

    //Loop through to identify each movie
    $x=0;
    while ($x<count($myFriendsMovies['data']))
    {
        $r = mysql_real_escape_string( $myFriendsMovies['data'][$x]['id'] );
        $s = mysql_real_escape_string( $myFriendsMovies['data'][$x]['name']);
        mysql_query("INSERT INTO LinkedMovies 
        (
            UserFBID, 
            MovieFBID,
            MovieName
        ) VALUES
        (
            '$I', 
            '$r',
            '$s'
        ) ") or die(mysql_error());         
        $x=$x+1;
    }
    $c=$c+1;
}