I am trying to insert a Paragraph (which contains a single quote in middle) into database as below.
$rule="**Mobile's** are not allowed into the room...................soon";
mysql_query("insert into table_name (rule) values('$rule')");
While executing the query that paragraph is not inserting. And i have directly tried in the Mysql using SQL option. There it shown error.
Any suggestions..?
Thanks
Some questions to make you think:
What do double quotes (") mean in PHP?
What are their effect on a string which contains a variable?
What is "input sanitation"?
What is "character escaping"?
What is PDO?
Also, and most importantly:
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
The best way to handle such thing is to use PDO extension or MySQLi. They are designed to prevent from SQL Injection.
example of using PDO.
$rule = "**Mobile's** are not allowed into the room...................soon";
$stmt = $pdo->prepare("insert into table_name (rule) values(:rule)");
$stmt->execute(array(':rule' => $rule));
best link that I can give that explains how bad is the query the breaks when a value contains single quotes:
use
$rule = mysql_real_escape_string("**Mobile's** are not allowed into the room...................soon");
You may use mysql_real_escape_string() before sending values to Mysql database table. please check this link http://php.net/manual/en/function.mysql-real-escape-string.php
$rule="**Mobile's** are not allowed into the room...................soon";
$rule1=mysql_real_escape_string($rule)
mysql_query("insert into table_name (rule) values('$rule1')");
