0

I created a form to collect user data, including address and write them in a Mysql DB. In the user table, Street is a Varchar (255). Everything works fine, unless in the name street there's an apostrophe, in this case I have the following SQL warning:

For example, if in the Street name I put "Francesco D'assisi 24"

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'assisi 24',

Any idea how to avoid it?

Alexander
  • 3,129
  • 2
  • 19
  • 33
Velectro
  • 11
  • 3
  • 3
    It`s called sql injection use prepared statements.http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Mihai Feb 15 '14 at 18:23

2 Answers2

0

Pass the variables via a stored procedure parameters.

user3241191
  • 505
  • 2
  • 5
  • 12
0

Need to escape data: use function mysql_real_escape_string (or analogs in other libraries), or using PDO and parameters.

For example:

$data = <<<TXT
Francesco D'assisi 24
TXT;

$data = mysql_real_escape_string($data);
mysql_query("INSET INTO table VALUES ('$data')") or die mysql_error();
Hett
  • 3,484
  • 2
  • 34
  • 51