sql to query columns with special character

Question

my query is like

$insert_query = "insert into post (post_title) values ('$post_title')";

If my post_title = Ronald's bio-data, I would not be able to insert the tuple because of the special character ' in my post_title.

How should solve this problem? Thank you in advance!

if i will give you solution you can store special char also DB Then ? — Manish Patel, Dec 23 '13 at 13:45
I think your problem is you unable to store value or you do not want to store — Manish Patel, Dec 23 '13 at 13:50

score 3 · Answer 1 · answered Dec 23 '13 at 13:45

3

Use Prepared Statements to escape parameters automatically in your queries

$stmt = $dbh->prepare("insert into post (post_title) values (?)";
$stmt->bindParam(1, $post_title);
$stmt->execute();

answered Dec 23 '13 at 13:45

juergen d

can you explain a bit more on what is $dbh? – Xiahao Wang Dec 23 '13 at 14:20
`$dbh` is the DB handler. [here is a good quick tutorial](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – juergen d Dec 23 '13 at 16:05

score 0 · Answer 2 · edited May 23 '17 at 11:50

0

Consider using the $mysqli->real_escape_string(String) function.

$post_title = $mysqli->real_escape_string($post_title);
$insert_query = "insert into post (post_title) values ('$post_title')";

See here for more information.

Note that using variables in SQL Strings always emits a potential vulnerability due to SQL Injection attacks. See e.g. this post for alternatives.

edited May 23 '17 at 11:50

Community

answered Dec 23 '13 at 13:47

sebastian_oe

2 Answers2