-3

I'm using mysqli_query() with a dynamic variable $categoryName, where $categoryName will be dynamic where the category name will be fetch based on user submission from a form.

Within my category name submission form there are Food, Vintage clothing, Leisure, Angel's etc...

I'm still quite new to querying content from database, currently managed to come out with using mysqli_query() for querying from the database, like so:

$sqlCommand = mysqli_query($conn, "SELECT * FROM products WHERE category='$categoryName'");

Everything works great and I managed to query the db with my existing category names, however there's only one which doesn't work is the Angel's category with ' apostrophe symbol in it.

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in.......

I suspect there is some sort of method like filter that need to be called before mysqli_query()?

Vincent1989
  • 1,593
  • 2
  • 13
  • 25

2 Answers2

2

Use mysqli_real_escape_string

$cat_name = mysqli_real_escape_string($conn, $categoryName);
$sqlCommand = mysqli_query($conn, "SELECT * FROM products WHERE category='$cat_name'");
Saty
  • 22,443
  • 7
  • 33
  • 51
Apb
  • 979
  • 1
  • 8
  • 25
1

This is called an SQL-Injection. In this case it's not wanted and occurs in normal business. You should read an article about SQL-Injection and prevent it in future projects.

You can escape that string using

mysqli_real_escape_string($conn, $categoryName);

Happy coding.

Hecke29
  • 766
  • 6
  • 18
  • 1
    You need to add first parameter as connection string `mysqli_real_escape_string($link, $categoryName);` – Saty Nov 20 '15 at 09:18