3

I want to have a dropdown from MySQL data where I want <option value ='and acode ='Aircraft1''>, including the two single quotes to pass it into a query. I'm including backslash already but it's not working. What's wrong with my code?

<?php    
$asql = "SELECT * FROM aircraft";
$aresult = mysql_query($asql);
?>
Aircraft:
<select name="aircraft">
<option value="and (acode = 'RP-C1086' or acode='RP-C1728')" checked/>All</option> 
<?php while($arow=mysql_fetch_array($aresult))
{
  echo "<option value='and acode=\'".$arow['reg']."\''>".$arow['reg']."</option>";
} ?>
</select>
Prix
  • 19,417
  • 15
  • 73
  • 132
xjshiya
  • 915
  • 7
  • 16
  • 44
  • First you must quit using mysql_* as it is deprecated, then you should learn about prepared statements to prevent injection. Use mysqli or PDO! And instead of `echo "";` use `echo "";` – Prix May 30 '13 at 01:01

1 Answers1

5

From the MySQL manual:

There are several ways to include quote characters within a string:

  • A “'” inside a string quoted with “'” may be written as “''”.

  • A “"” inside a string quoted with “"” may be written as “""”.

  • Precede the quote character by an escape character (“\”).

  • A “'” inside a string quoted with “"” needs no special treatment and need not be doubled or escaped. In the same way, “"” inside a string quoted with “'” needs no special treatment.

When coding in php, remember to use \\ in a string literal to get a single \ in the string value.

If you want to escape the quote in an HTML attribute, replace the ' with &quot;. Alternatively, quote the attribute value with ". These are the techniques to use regardless of where the string value came from. See this thread.

Community
  • 1
  • 1
Ted Hopp
  • 232,168
  • 48
  • 399
  • 521