Problems with single quotation mark while inserting

Question

I am having a problem while uploading a string to MySQL database. Here's the things I use:

EditText for user input
PHP file that receives string from the application and inserts into the database

The PHP file I use for communication:

<?php 
$con = mysql_connect("SERVER","DB_NAME","PASS");
if (!$con)
    {
    die('Could not Connect:'. mysql_error());
    }
mysql_select_db("DB_NAME",$con);


mysql_query ("INSERT INTO table_name (id) VALUES('".$_REQUEST['st_Id']."')");

mysql_close($con);
?>

When I try to insert text into the EditText in android and that text includes a quotation marks the operation fails, otherwise the operation is working fine. I guess the problem in the PHP file while receiving the string but I have no idea how to solve it.

Any ideas?

Make a simple test to understand this yourself: Write down the sql statement you would expect to get created when you use a single quote inside. Write it down in its final form, look at it and you will see the problem. The solution: "escaping". Or better and much more secure: "prepared statements". — arkascha, Apr 25 '14 at 07:54

score 0 · Answer 1 · answered Apr 25 '14 at 09:41

0

I've disabled the single quotation mark and any special marks from the EditText by doing the following in the EditText attributes:

android:digits="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ- 0123456789"

I can live with that till now :)

answered Apr 25 '14 at 09:41

Izzo32

179
1
4
16

Problems with single quotation mark while inserting

1 Answers1