0

I want to save the string "thats'one" in my table columns, but I don't want to use mysqli_real_escape_string. Can anyone guide me regarding how to do that?

Nisse Engström
  • 4,738
  • 23
  • 27
  • 42
adnan khalid
  • 201
  • 2
  • 3
  • 8
  • 3
    Why you don't want to use `mysqli_real_escap_string`?? What is the reason behind this?? – Saty Dec 31 '15 at 07:14
  • Where is your insert query code? – Sadikhasan Dec 31 '15 at 07:16
  • 1
    Use parameterized queries. There are many tutorials, threads, and sites already addressing this issue. If you are having a particular issue please post your code. – chris85 Dec 31 '15 at 07:17
  • @Sadikhasan I know it can possible using `mysqli_real_escap_string` but i want to know is there any other option ? – adnan khalid Dec 31 '15 at 07:18
  • @adnankhalid yes, parameterized queries. That is the best practice. – chris85 Dec 31 '15 at 07:18
  • @chris85 Thanks I'm trying – adnan khalid Dec 31 '15 at 07:19
  • 2
    Use PDO or prepared statements with mysqli and you'll never have to worry about quotes or escaping chars ever again. – huysentruitw Dec 31 '15 at 07:20
  • can you print your query and share here? – devpro Dec 31 '15 at 07:23
  • Yes, PDO is the way to go. – grimmdude Dec 31 '15 at 07:25
  • 1
    @grimmdude Why? `mysqli` supports parameterized queries just fine. – chris85 Dec 31 '15 at 07:27
  • @WouterHuysentruit `PDO or prepared statements` will allow versatility across other dbs but OP also still needs to use parameterized queries. Without those prepared statements are worthless. – chris85 Dec 31 '15 at 07:30
  • if u dont want to use mysql_escape_string than use addslashes()... I believe you should always use your data provider's escape function instead of addslashes, because addslashes may either do too much or not enough work for the purpose you use it. On the other hand, mysql_real_escape_string knows what to do to prepare a string for embedding it in a query. – devpro Dec 31 '15 at 07:33
  • 2
    @devpro Yuck, you read the warning on the manuals page for that function right? `To escape database parameters, DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL`...http://php.net/manual/en/function.addslashes.php – chris85 Dec 31 '15 at 07:35
  • @chris85: :) lol, yes you are 100% right... he dont want to use it.... dont know why. – devpro Dec 31 '15 at 07:38

1 Answers1

5

Since Im seeing so many low quality comments here, here is a rough untested answer.

$query = "INSERT INTO table (Column) VALUES (?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $val1);
$val1 = "thats'one";
$stmt->execute();

This presumes $mysqli is your connection object.

Additional links on the topic:

http://php.net/manual/en/mysqli-stmt.execute.php
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
http://php.net/manual/en/security.database.sql-injection.php
How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
chris85
  • 23,846
  • 7
  • 34
  • 51
  • That's answer enough explain to insert `thats'one` without using `mysqli_real_escap_string` – Saty Dec 31 '15 at 08:00