MySQL: How to retrieve data that contain apostrophe

Question

I am having a problem retrieving a data from mysql that has an apostrophe in it. I don't have problem in saving a data that has an apostrophe since that I am using mysqli_real_escape_string when inserting the data to the database but I get an error when retrieving it. My sample code in PHP for retrieving the data is mysqli_query($con,"SELECT column1data FROM Table1 WHERE column2data LIKE '".$data."' ")or die(mysqli_error($con)); and the $data is the one that has an apostrophe in it.

Answer 1

Still use mysqli_real_escape_string() when binding variables, especially when it is a string, to your query. Not just for inserting data.

$data = mysqli_real_escape_string($data);

You should also look at prepared statement. No need to sanitize the variable before binding it your query, prepared statement will do it for you.

$data = "%{$data}%"; /* CHANGE THIS IF YOU DON'T WANT TO USE % */

$stmt = $con->prepare("SELECT column1data FROM Table1 WHERE column2data LIKE ?")){ /* PREPARE YOUR STATEMENT */
  $stmt->bind_param("s", $data); /* BIND THE DATA */
  $stmt->execute(); /* EXECUTE THE QUERY */
  $stmt->bind_result($column1data); /* BIND THE RESULT TO THIS VARIABLE */
  $stmt->fetch(); /* FETCH THE RESULT */
  echo $column1data; /* ECHO THE RESULT */
  $stmt->close(); /* CLOSE THE STATEMENT */
}

Answer 2

You should use mysqli_real_escape_string() every time that a string is being placed into your SQL code. Use mysqli_real_escape_string($data) rather than just $data.