0

I have a small piece of code that I cannot get to execute for a name has ' in it. ie... O'Reilly. So when it executes it skips over people with apostrophe's in their names. Is there a way to escape it to where it will not skip them?

function direct_reports($email) {
db_set_active('database');
$result = db_query("select COUNT(u.username) AS reports
from {reports_user_info_fields_summary} u
WHERE u.email = '$email' AND u.deleted = 0 ");
$record = $result->fetchAssoc();
db_set_active();
return $record;
dpm($record, 'record');

}

Please help and thank you!!! This is not a repeat of the SQL injection prevention, the info already is stored in the DB with the character.. now calling it, it still wont escape the character.. I have tried mysql_real_escape_string (PHP 5.4), I just cannot get that piece of code above to pull an email with an apostrophe..

The DB is halting on a email that is myname.o'myname@email.com (no slashes)

DoCnTex
  • 113
  • 2
  • 5
  • 11
  • possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Marc B Jul 27 '15 at 19:11
  • Tried everything in the other one and couldnt get it to work. – DoCnTex Jul 29 '15 at 16:29
  • then show exactly what's in the db, and exactly what's in `$email`. the code by itself is useless without seeing what the actual inputs are. – Marc B Jul 29 '15 at 16:30
  • gotcha, Thanks Marc B.. email is just an email address but it only halts on names that have the o'name@email.com in it.. there is no slashes in it.. we have the insert into DB escaping.. but cannot reverse that.. but I think I fixed it.. – DoCnTex Jul 29 '15 at 20:16
  • escaping does NOT survive through the insert process. e.g. `insert ... values('miles o\'brien')` does not insert a literal ``\`` into the db. that's removed by the db during query compilation and whatnot. you get a literal `miles o'brien` in the table. so look at what's REALLY in the table. if there's escapes in there, you're probably double-escaping. – Marc B Jul 30 '15 at 15:22
  • Thanks Marc B... the actual from the DB is o'brien.. no escapes.. I did finally figure out what to do.. still in testing but worked in my dev outputs.. $result = db_query("select COUNT(u.username) AS reports from {reports_user_info_fields_summary} u WHERE u.email = '".mysql_real_escape_string($email)."' AND u.deleted = 0 "); – DoCnTex Jul 31 '15 at 18:34

1 Answers1

-1

Its very simple, after using mysql_real_escape_string() to sanitize the data, apply php stripslashes() on the data while pulling it back to the user

tosin ezekiel
  • 23
  • 4