Apostrophe Not Being Inserted into SQL Database

Question

I'm using PHP to connect with a SQL database using sqlsrv drivers. However, I've run into a problem:

$string = "Home";
$DBH->prepare( "INSERT INTO table_name (column_name) VALUES ('" .$string. "')" );
$DBH->execute();

How come this works?

$string = "Home's";
$DBH->prepare( "INSERT INTO table_name (column_name) VALUES ('" .$string. "')" );
$DBH->execute();

But this doesn't?

The SQL database doesn't seem to accept the apostrophe in the $string variable. In the past I would use mysql_real_escape_string but that isn't an option.

Does and doesn't work are words noone understands here. Find the error. PDO has a quote method http://www.php.net/manual/en/pdo.quote.php — Mike B, Jan 16 '14 at 13:10
You're suffering SQL injection - Here's [how to fix it](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Álvaro González, Jan 16 '14 at 13:11
"In the past I would use `mysql_real_escape_string` but that isn't an option." This means you know what the problem is. Use prepared statements. — Bart Friederichs, Jan 16 '14 at 13:13
@ÁlvaroG.Vicario — More then that, that's is the *cause* of the problem, so the question you link to is a duplicate. — Quentin, Jan 16 '14 at 13:15

score 2 · Accepted Answer · answered Jan 16 '14 at 13:17

This happens because you're using a prepared statement... but not preparing any input and instead just slapping the value into the SQL. Looking at it should make it clear:

ex 1:

$DBH->prepare( "INSERT INTO table_name (column_name) VALUES ('Home')" );

ex 2:

$DBH->prepare( "INSERT INTO table_name (column_name) VALUES ('Home's')" );

See how your quoting is now messed up?

The proper way to do this is to acutally USE the prepared statement's functionality:

$string = "Home's";
$DBH->prepare( "INSERT INTO table_name (column_name) VALUES (:column_name)" );
$DBH->bindParam(':column_name', $string);
$DBH->execute();

Note how your statement is FIRST prepared with the :column_name parameter ready to accept a value. Then the bindParam puts a value in and executes.

Now can even reuse the prepare with new values:

$string = "Home's Holmes is homing";
$DBH->execute();

I'd forgotten about OOP with PHP, thanks for the refresher lesson — proPhet, Jan 16 '14 at 13:57

score 0 · Answer 2 · answered Jan 16 '14 at 13:18

0

The sqlsrv documentation page has decent examples on how to use prepared statements:

$sql = "INSERT INTO table_name (column_name) VALUES (?)";
$params = array("Home's");    
$stmt = sqlsrv_query( $conn, $sql, $params);

answered Jan 16 '14 at 13:18

Bart Friederichs

33,050
15
95
195

score -1 · Answer 3 · answered Jan 16 '14 at 13:14

-1

I think you need to escape the apostrophe by using a double apostrophe. after you do an insert check out the data in the table it should only show one apostrophe.

$string = "Home''s"; 
$DBH->prepare( "INSERT INTO table_name (column_name) VALUES ('" .$string. "')" );
$DBH->execute();

good luck...

answered Jan 16 '14 at 13:14

Anthony DeSalvo

9
1

This is not a string-escaping problem, it is a SQL statement problem. – Bart Friederichs Jan 16 '14 at 13:14
in SQL apostrophes' need to be escaped.. Insert into Person (First, Last) Values ('Joe', 'O''Brien') – Anthony DeSalvo Jan 16 '14 at 13:16
That's kind of acceptable for static queries, but I'm pretty sure that `$string = "Home's";` is just a simplified test case. The SQLSRV libraries offers decent prepared statements support. – Álvaro González Jan 16 '14 at 13:20
Agreed. It is still advisable to use prepared statements. – Bart Friederichs Jan 16 '14 at 13:20
I don't disagree however I feel the OP couldn't grasp that concept.. – Anthony DeSalvo Jan 16 '14 at 13:23

Apostrophe Not Being Inserted into SQL Database

3 Answers3