PDO query with quotes

Question

I developping an admin panel, i have the PDO stuff for my db. Here is my post PHP for update texte in my website:

$text1= $_POST['text1'];
$text2= $_POST['text2'];
$query = $con->prepare("UPDATE `home` SET text1='$text1', text2='$text2' WHERE id=1;");
$query->execute();
if ($query) {
    echo 'good';....}

If i write quotes it's say my sql query is not good. I have tried quote() and prepare() but don't work too. How can i do for use quote in my input ?

PS: In all my query i have specials char like: é à ü ù and other (i'm french)

Please read http://code.tutsplus.com/tutorials/php-database-access-are-you-doing-it-correctly--net-25338 and use **proper** prepared statements, that will fix your problem — Sjon, Dec 14 '15 at 15:28
`$text1= $_POST['text1']; $text2= $_POST['text2']; $query = $con->prepare("UPDATE 'home' SET text1= :1 text2=:2 WHERE id=1;"); $query->bindParam(':1', $text1, PDO::PARAM_STR); $query->bindParam(':2', $text2, PDO::PARAM_STR); $query->execute();` — Sergey Belyakov, Dec 14 '15 at 15:37
@SergeyBelyakov almost, just :1 replace ?. But i don't know wich is the best — Flavien317, Dec 14 '15 at 15:44
@Flavien317 It's a different approaches. I like to use the named parameters — Sergey Belyakov, Dec 14 '15 at 15:49

score 1 · Accepted Answer · answered Dec 14 '15 at 15:28

1

Use bound parameters:

$text1= $_POST['text1'];
$text2= $_POST['text2'];
$query = $con->prepare("UPDATE `home` SET text1=?, text2=? WHERE id=1;");
$query->execute([$text1, $text2]);

answered Dec 14 '15 at 15:28

Steve

20,703
5
41
67

thanks, it's work, but there are other way because i like to have my $variable in my query ? – Flavien317 Dec 14 '15 at 15:33
Huh? Please explain what you mean? – Steve Dec 14 '15 at 15:55
I just wan't to know which is the best method for have all special char in my query – Flavien317 Dec 14 '15 at 15:57
Ok, so could you explain whats not working with the above? How is it failing? What chars are getting removed? And how did you test that they are removed (and not just escaped) – Steve Dec 14 '15 at 16:01
All working good, thanks, I will just wanted what is the best way for have special char in input and query. – Flavien317 Dec 14 '15 at 16:25

PDO query with quotes

1 Answers1