Sql Insert issue on (')

Question

All going good, but when i wry to insert something like It's Man's Isn't it Like this then problem.

$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ($Section, $inputdata);";
$InsertData = $mysqli->query($Query);
if ($InsertData){
    $InsertID   =  $mysqli->insert_id;
    $Return['Success']  = "Successfully added.";
}else{
    $Return['Error']    = "Something went wrong!";
}

score 1 · Answer 1 · answered Jan 10 '16 at 09:41

1

You should escape special characters.

You can do that with mysqli_real_escape_string.

Then you have to wrap your variables in single-quotations so that they will be recognized as strings.

answered Jan 10 '16 at 09:41

Ozan Kurt

3,731
4
18
32

score 1 · Answer 2 · answered Jan 10 '16 at 10:10

As you are already using mysqli why not go a stage further and use prepared statements to alleviate the issue and help protect against sql injection?

$mysqli = new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );

$sql='insert into `9154804_data` (`parent`, `name`) values (?, ?);';
$stmt=$mysqli->prepare( $sql );
$stmt->bind_params('ss', $Section, $inputdata );
$res=$stmt->execute();

if( $res ){
    $InsertID   =  $mysqli->insert_id;
    $Return['Success']  = "Successfully added.";
} else {
    $Return['Error']    = "Something went wrong!";
}

$mysqli->close();

score 0 · Accepted Answer · answered Jan 10 '16 at 10:54

The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement.

$Section = $mysqli->real_escape_string($Section);
$inputdata = $mysqli->real_escape_string($inputdata);
$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ($Section, $inputdata)";
$InsertData = $mysqli->query($Query);
if ($InsertData){
    $InsertID   =  $mysqli->insert_id;
    $Return['Success']  = "Successfully added.";
}else{
    $Return['Error']    = "Something went wrong!";
}

refer http://php.net/manual/en/mysqli.real-escape-string.php

http://www.w3schools.com/php/func_mysqli_real_escape_string.asp

score -1 · Answer 4 · answered Jan 10 '16 at 09:39

-1

you are insert string values you have to quotes the varibles as string and remove the ; from end of your query

$Query = "INSERT INTO `9154804_data` (`Parent`, `Name`)
VALUES ('$Section', '$inputdata')";
$InsertData = $mysqli->query($Query);
if ($InsertData){
    $InsertID   =  $mysqli->insert_id;
    $Return['Success']  = "Successfully added.";
}else{
    $Return['Error']    = "Something went wrong!";
}

answered Jan 10 '16 at 09:39

Osama Jetawe

2,697
6
24
40

She is not escaping them... – Ozan Kurt Jan 10 '16 at 09:40

Sql Insert issue on (')

4 Answers4