1

Is there any way to pass & symbol inside MySQl query with PHP?
I need to select values from database based on categories name, but category names may contains & symbol

example: CATEGORY_TITLE=FRUITS & VEGETABLES

β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
Edwin Thomas
  • 1,186
  • 2
  • 18
  • 31
  • 4
    Yes, it's possible. & has no special meaning within a string literal for MySQL. Your problem is most likely with the transmission via http and encoding in html and not so much with the MySQL part, – VolkerK Jun 20 '15 at 11:51
  • @VolkerK Thank you. Can you give a example? – Edwin Thomas Jun 20 '15 at 11:53

2 Answers2

1

I suspect you have problem on the transmission of variables (used by some javascript code). If that is true, then make sure that the parameters you pass in the query string use the encodeURIComponent method before.

That happens because & has a special meaning (in fact it is a delimiter).

MySQL accepts & as string without any problem.

Themis Beris
  • 980
  • 1
  • 11
  • 25
-4

There are a number of way to do it.

Before saving my data into DB, I use:
htmlentities($_POST['CATEGORY_TITLE'])
And on retrieval I use:
html_entity_decode($result['CATEGORY_TITLE'])

James
  • 4,644
  • 5
  • 37
  • 48
Deepak Nirala
  • 826
  • 6
  • 11
  • 2
    -1. Use [proper SQL escaping](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) instead of forcing HTML entities into a database. – helmbert Jun 20 '15 at 12:14
  • 2
    @ helmbert I have just suggested him a way to do it. I am not forcing him to do so !! – Deepak Nirala Jun 20 '15 at 12:29
  • 1
    @ helmbert it's really rude. You guys are marking a suggestive methodology as -ve. It just I am suggesting a logic. – Deepak Nirala Jun 20 '15 at 12:48
  • 1
    @ helmbert if you have better solution, It will be really nice if you could share it with us. – Deepak Nirala Jun 20 '15 at 12:50
  • @DeepakNirala While it's appreciated you trying to help. this is a really bad way to secure data before entering it into a database. It also is bad practice because you should (arguably/most times) store the *raw* data in the database, and then upon retrieval from the DB manage it as required for the given scenario. – James Jun 20 '15 at 13:07
  • 1
    @ helmbert Once he uses mysql_escape_string to remove '&' before saving how he will he fetch '&' in his result retrieved from databases? – Deepak Nirala Jun 20 '15 at 13:08
  • 1
    @James I really appreciate your suggestion but I am just suggesting edCoder a method. – Deepak Nirala Jun 20 '15 at 13:11
  • @DeepakNirala It is of course your choice to suggest any method you want to, but please understand we want high quality help and support here. And suggesting something which is bad practice, and arguably insecure and not just based on "opinion", is not really welcomed here. Have a read of this answer: http://stackoverflow.com/a/2077622/2632129 – James Jun 20 '15 at 13:15
  • Why would mysql_escape_string remove & from anything? – Sami Kuhmonen Jun 20 '15 at 13:20
  • 1
    @James Tnx for your suggestion but I am really discouraged by the way you guys are bullying me as if I have committed a crime by answering. – Deepak Nirala Jun 20 '15 at 13:25
  • No one is bullying you. We're trying to help you. Did you read the answer I linked to? It explains why your answer here is not a good solution. And no-one is suggesting you have committed a "crime" just provided a poor answer which is bad advice. Don't be discouraged by it, learn from it. – James Jun 20 '15 at 13:26