1

I need to run this query, but it keeps returning nothing because of the apostrophe that's acting like a single quote. How can I change this to accomodate values with apostrophes?

Relevant part of PHP:

$selected_client = $_POST['client'];

$sql = "SELECT `client_id` FROM client_table where client_id = '{$selected_client}';" ;

For example, how can I handle a case where $selected_client = "Bob's Bakery"

jonmrich
  • 4,233
  • 5
  • 42
  • 94
  • 5
    Use prepared statements. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – xQbert Mar 03 '15 at 18:57
  • ...in conjunction with a modern API (mysqli or PDO) – Strawberry Mar 03 '15 at 19:07
  • @xQbert I seem to get this answer whenever I ask a question like this, but haven't had anyone help me actually put this together for my specific situation. I understand what needs to be done abstractly, but can't quite seem to apply it to my situation. – jonmrich Mar 04 '15 at 18:26
  • Are you using mySQLi or PDO as @Strawberry points out? [This](http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059) can help you understand the difference and gives you a few examples to mimic and build from. I would recommend using the examples and build a very basic connect and display and then build from it. The reason you've not received much help, IMO is because the vast examples that already exist to build from. No one wants to re-invent the wheel. – xQbert Mar 05 '15 at 14:06

0 Answers0