giving mysql error when using value with '

Question

I have written a query

mysql_query("insert into db_manufacturer(mfgName) values('$manufacturer')"

when $manufacturer = ram's or sam's etc then it is giving sql error, how to overcome this error. If I am using "" then in the db inserting the variable not the variable value.

[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://stackoverflow.com/a/14110189/1723893). — NullPoiиteя, Jan 14 '13 at 07:09

score 2 · Answer 1 · edited May 23 '17 at 12:27

 mysql_query("insert into db_manufacturer(mfgName) values('$manufacturer')")

and when $manufacturer is "ram's" it will be like

 mysql_query("insert into db_manufacturer(mfgName) values('ram's')")

This is broken as the value closing delimiter appears twice; that is, there are an odd number of single quotemarks.

now solution

mysql_query("
  INSERT INTO db_manufacturer
    (mfgName)
  VALUES
    ('".mysql_real_escape_string($manufacturer)."')
");

A good, easy, scalable and safe approach is to use parameterized queries. The parameters for such queries are called bind variables.

Good Read

Note

The entire ext/mysql PHP extension, which provides all functions named with the prefix mysql_, is officially deprecated as of PHP v5.5.0 and will be removed in the future. So use either PDO or MySQLi

Good read

score 1 · Answer 2 · answered Jan 14 '13 at 06:29

1

$manufacturer = mysql_real_escape_string($manufacturer);
mysql_query("insert into db_manufacturer(mfgName) values('$manufacturer')";

answered Jan 14 '13 at 06:29

Hanky Panky

46,730
8
72
95

1

forget mysql_.Use mysqli_ or PDO – Techy Jan 14 '13 at 06:32
1

That does not warrant a downvote. It perfectly "answers" what was being asked. We can "recommend" someone to use mysqli or PDO but we cannot force them to change their solution just based upon a question, imo. – Hanky Panky Jan 14 '13 at 06:34
is it really good to use singleton ? – NullPoiиteя Jan 14 '13 at 07:09

score 1 · Answer 3 · edited May 23 '17 at 12:27

1

$manufacturer = mysql_real_escape_string($manufacturer);
mysql_query("insert into db_manufacturer(mfgName) values('$manufacturer')"

mysql_real_escape_string

but i Recommend to use either PDO or MySQLI.

Here's a great article:

How to prevent SQL injection in PHP?

edited May 23 '17 at 12:27

Community

1
1

answered Jan 14 '13 at 06:29

John Woo

258,903
69
498
492

forget mysql_.Use mysqli_ or PDO – Techy Jan 14 '13 at 06:33
@AnazA did you read what's written below? – John Woo Jan 14 '13 at 06:35
may i ask why use singleton ? – NullPoiиteя Jan 14 '13 at 07:10

score 0 · Answer 4 · answered Jan 14 '13 at 06:29

0

Use mysql_real_escape_string which escapes special characters in a string for use in an SQL statement

$manufacturer = mysql_real_escape_string($manufacturer);

More details:

http://php.net/manual/en/function.mysql-real-escape-string.php

answered Jan 14 '13 at 06:29

J.K.A.

7,272
25
94
163

forget mysql_.Use mysqli_ or PDO – Techy Jan 14 '13 at 06:31
@AnazA : Is this comment for me? – J.K.A. Jan 14 '13 at 06:33

score 0 · Answer 5 · answered Jan 14 '13 at 06:30

0

It is deprecated but you are looking for mysql_real_escape_string.

but forget mysql_ and learn PDO, it is much safer.

answered Jan 14 '13 at 06:30

Zevi Sternlicht

5,399
19
31

giving mysql error when using value with '

5 Answers5

Note