what is correct way to do this php code

Question

I have this query

$query = "SELECT * FROM customers WHERE customer_name = '{$orders}'";

but when the value of the $orders have a single quote(') for example:

$orders = "Carlo's shop";

the query return an error.

is there any good way to handle this situation?

Now let's imagine what would happen if it contained `Robert');DROP TABLE customers;--`. — N.B., Dec 09 '14 at 02:02

score 3 · Accepted Answer · edited Apr 02 '20 at 22:58

3

Use PDO with prepared statements. See reference docs.

$query = $pdo->prepare('SELECT * FROM customers WHERE customer_name= :orders');

$query->execute(array('orders' => $orders));

edited Apr 02 '20 at 22:58

Dharman

answered Dec 09 '14 at 02:03

A.B

thank your clever answer, this part `'$orders'` not work for me, but your answer give me an idea how to make my code working.. a very big thanks. happy codding... – jhunlio Dec 09 '14 at 03:02

1 Answers1