-2

I have a table that contains name of movies and other things and in my php page I want to select some of that movies..

$sql3 = "SELECT * FROM Movies where Movies.nameM='{$row['nameM']}';";

This query crashes when the nameM (name of movie) has an apostrophe in its name :/

How can I change this to work well?

Thanks for your help

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user3046650
  • 83
  • 1
  • 1
  • 7
  • If you're having this problem, you should have a very, very good look at http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Jeremy Smyth Dec 18 '13 at 17:22
  • 1
    I downvoted because I feel it lacks research effort. Nothing personal. – Tim Seguine Dec 18 '13 at 17:27
  • Which MySQL functions are you using? If you use prepared statements, this issue would be a thing of the past :) – gen_Eric Dec 18 '13 at 17:28
  • 1
    (1) Google for "SQL injection". Read and discover why you need to be really *really* careful when building DB strings. (2) Start using the PDO library for your PHP DB code, and use its "Prepared Statement" functionality to get around this issue. (3) Find a few *good quality* PHP tutorials (eg http://www.phptherightway.com/#databases). – Spudley Dec 18 '13 at 17:29

2 Answers2

4

You may try:

$sql3 = "SELECT * FROM Movies where Movies.nameM='".mysqli_real_escape_string($row['nameM'])."';";

And if you are using the old and deprecated mysql_* functions:

$sql3 = "SELECT * FROM Movies where Movies.nameM='".mysql_real_escape_string($row['nameM'])."';";
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
MillaresRoo
  • 3,808
  • 1
  • 31
  • 37
0

As Spudley said you should R&D more. Just to make it a few easier for you

You may use mysql(i)_ real escape functions but if you're using a framework works on top of PDO you don't have a mysql(i)_* connection and can't escape strings using them i have seen this problem previously on yii or f3 or ... Mostly the frameworks support the param safe injection.

\Framework::Query("SELECT .... WHERE column=:param", array(':param'=>$value));

But some times you may need to escape the string value manually. To do that with PDO you can acquire the pdo object and use the :

substr($pdo->quote($string, , \PDO::PARAM_STR), 1, -1)

The only note is that the ->quote() also puts the apostrophes around the result which they can get wiped using substr.

Edited to make the codes clear

AbbasAli Hashemian
  • 168
  • 1
  • 7