-1

This is properly going to be a really simple question but my head is spinning.

I am using php in a web service. One item that i receive is a string which i save into an sql database.

Issue is the strings must be able to contain ' but when i construct a query like the following

$query = "INSERT INTO TABLE (COLUMN1) VALUES ('{$_POST('string')}')";

it throws sql query error if ' is used.

Any solutions

Thanks

Display Name
  • 1,025
  • 2
  • 15
  • 34

3 Answers3

0

you need to properly escape your strings that you insert into your database.

MySQLi resource: http://php.net/manual/en/mysqli.real-escape-string.php

PDO resource: real escape string and PDO

Community
  • 1
  • 1
Samuel Cook
  • 16,620
  • 7
  • 50
  • 62
0

I think the word you are looking fore is escape.

have a look at this: How does one escape special characters when writing SQL queries?

AirmanAir
  • 11
  • 5
0

Its always better to use a prepared statements for queries that involve user input. Your SQL string must be something like this:

$query = "INSERT INTO table (column1) VALUES(?)";

See mysqli_prepare documentation if you are using mysqli. If you are using a PHP framework, your framework may offer an easier implementation.

Checkout this article for the reasons why its better to use a prepared statement.

gmarintes
  • 1,288
  • 12
  • 16