PHP and SQL parsing single quotes

Question

I've done some searching here and have not found what I'm looking for.

I've got a form that gets filled out, upon submitting it adds it to an SQL database (using PHP). However, if someone puts an apostrophe or single quote, it will blow up...I need to be able to either parse each text field to check for single quotes to escape them out or find some other way for this to work. Here is my SQL statement...if it helps.

$query = "INSERT INTO workshopinfo (Year, Presentername, email, bio, arrival, title, description, costyn, matcost, schedlimit, additionalinfo, typeofws, verified)" .
"VALUES ('$year', '$presentername', '$email', '$bio', '$arrival', '$title', '$description', '$costyn', '$matcost', '$schedlimit', '$additionalinfo', '$typeofws', '$verified')";

So of course a single quote will blow it up, as will a double quote...it fails every time. There is likely an easy solution to this.

Thanks Fred. I was using the wrong terminology to find my answer. — Vidar, Apr 27 '15 at 15:22

score 0 · Accepted Answer · answered Apr 27 '15 at 15:17

0

I may have just found it after posting. The php functon addslashes() works in this case.

answered Apr 27 '15 at 15:17

Vidar

41
2
11

score 0 · Answer 2 · answered Apr 27 '15 at 15:19

You can use PDO with prepared statements to handle quotes in SQL requests :

$req = $bdd->prepare("INSERT INTO yourTable (a, b, c) VALUES (:a, :myb, :c)");
$req->bindParam("a", $name, PDO::PARAM_STR); // string
$req->bindParam("myb", $title, PDO::PARAM_STR); // string 
$req->bindParam("c", $identifier, PDO::PARAM_INT); // integer
$req->execute();

With this, you avoid all SQL injections.

Documentation : http://php.net/manual/en/book.pdo.php

PHP and SQL parsing single quotes

2 Answers2