0

I want to add single quotes word like "Dwi'q" and "Jum'at" in PHP MYSQL, but I cant add that word, I try search anything but I dont found it.

my query is:

$query=mysql_query("INSERT INTO `pln`(`ppno`,`persno`,`pernum`,`psgrup`,`lv`,`pos`,`nppsimkp`,`persub`,`busrea`,`pdthr`,`gk`,`marstakey`,`bkey`,`bakun`,`numtd`,`email`,`bdate`) VALUES ('".$ppno."','".$persno."','".$pernum."','".$psgrup."','".$lv."','".$pos."','".$nppsimkp."','".$persub."','".$busrea."','".$pdthr."','".$gk."','".$marstakey."','".$bkey."','".$bakun."','".$numtd."','".$email."','".$bdate."')") or die(mysql_error());

Thanks for help.

user2864740
  • 60,010
  • 15
  • 145
  • 220
user231602
  • 37
  • 2
  • 3
    use mysqli_real_escape_string or mysql_real_escape_string – krishna Mar 03 '14 at 07:38
  • See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php - this is a form of "accidental" SQL injection. The *best* way to fix it is to **stop using mysql_\* functions** and use either `mysqli` or PDO with *placeholders* (aka prepared statements). See the linked question. – user2864740 Mar 03 '14 at 07:40
  • Escape the quotes in your variables before passing them in query, check this thread, its the exact thing : http://stackoverflow.com/questions/887036/insert-a-value-containg-single-quotes-in-mysql – NoobEditor Mar 03 '14 at 07:41
  • another => http://stackoverflow.com/questions/7028556/escaping-and-inserting-serialized-data-to-mysql ...wonder what have u searched!!!! – NoobEditor Mar 03 '14 at 07:45

3 Answers3

0

In order to insert values with ' you need to use mysqli_real_escape_string or mysql_real_escape_string. Also it better to use always when you are inserting values into DB in order to avoid SQL Injection.

And one more thing Please stop using mysql_* functions and start using mysqli_* function or PDO

Example

Using mysql_real_escape_string

$a = "some one's text";
$a = mysql_real_escape_string($a);

Using mysqli_real_escape_string

$con = mysqli_connect("localhost","dbusername","dbpassword","dbname");
$a = "some one's text";
$a = mysqli_real_escape_string($con,$a);
krishna
  • 4,069
  • 2
  • 29
  • 56
  • I would not recommend such outdated approaches, especially when there are *so many duplicates*. My recommendation is to *update* to mysqli (or PDO) and use *placeholders*. – user2864740 Mar 03 '14 at 07:42
  • Yes correct. But we dont know what php version he using. so we can give the option and tell him which is better one. – krishna Mar 03 '14 at 07:45
  • Any version of PHP that does not support a proper SQL client library should not be used. – user2864740 Mar 03 '14 at 07:45
  • agreed...this answer looks kind of obsolete...plus this is clear example of repetition of efforts for answering when similar threads exist!!! – NoobEditor Mar 03 '14 at 07:46
  • Like it matters.. I could have added the same comment to every other answer. The mind-swarm for "escaping" is too strong :( – user2864740 Mar 03 '14 at 07:48
0

In simple.. you can escape it with backslash..

$search_keyword="jum\'at";

but i recommend you to first sanitize the value before passing it into query.. using php function called 

mysql_real_escape_string($search_keyword)

for ex;

$search_keyword=mysql_real_escape_string("jum'at");
Rafique Mohammed
  • 3,666
  • 2
  • 38
  • 43
0

first do this:

$a = mysql_real_escape_string("Dwi'q");
$b = mysql_real_escape_string("Jum'at");

and then run your query providing these variables in your query.

uvais
  • 416
  • 2
  • 6