string value contains (') in the insert statement.

Question

I have following insert statement, it work fine if the PName doesn't have (') value, but when the text contain of ('), the query will return with syntax error. Any idea how to fix this? many thanks.

$queryinsert = "INSERT INTO CART (CartPID, CartPName, CartPrice,CartCustID, CartDate) values ( $pid, '$PName', $PPrice, $CustID, (NOW()))";

Your code is susceptible to [SQL Injection](http://en.m.wikipedia.org/wiki/SQL_injection) attacks. — akashivskyy, Aug 18 '13 at 14:13

score 4 · Accepted Answer · edited May 23 '17 at 11:56

4

You need to escape your inputs before saving it in your database. For example, with mysql_real_escape_string.

$PName = mysql_real_escape_string($PName);

$queryinsert = "INSERT INTO CART (CartPID, CartPName, CartPrice,CartCustID, CartDate) values ( $pid, '$PName', $PPrice, $CustID, (NOW()))";

This kind of situation can lead to SQL Injection, you should check this topic. The first thing to do is to move to prepared statements, which will save you some headache with SQL injection prevention.

edited May 23 '17 at 11:56

Community

1
1

answered Aug 18 '13 at 14:09

Maxime Lorant

34,607
19
87
97

And that's the least of your worries, There are a bunch of important reasons why you should escape, or move to parameterized queries – Hanky Panky Aug 18 '13 at 14:11

string value contains (') in the insert statement.

1 Answers1