I have a text field for the users to enter their description about the products.The user may enter data's having apostrophes. So how could i insert that data to sql.
Asked
Active
Viewed 618 times
0
-
Yes of course you can put data in SQL – Wasiq Muhammad Jan 12 '16 at 04:50
-
how are you currently inserting data that generates the error? Post your PHP/SQL that you currently have. – Clay Jan 12 '16 at 04:55
-
you can use str_replace() to change ' to any custom #value at the you fetch them back again use replace function to make this normal ' :) – Gautam Jha Jan 12 '16 at 04:56
3 Answers
1
When user enter description about product you get that value by "id or "name" and store in a variable.for e.g
$productDescription = $_POST['product'];
$query="INSERT INTO XYZ VALUES($productDescription);
IN SQL COLUMN DataType must be varchar
Wasiq Muhammad
- 3,080
- 3
- 16
- 29
1
To allow apostrophes, you might have to use mysql_real_escape_string() or addslashes while inserting into the database. Read more about these functions on the internet. These functions cleanse data before putting it into the database. Read this
Community
- 1
- 1
user4804138
- 112
- 5
-1
A prepared statement will bind the values in a safe way to allow values with apostrophes to be inserted into your table. It is also the way to prevent SQL injection.
Here is an example of the easiest way to accomplish this using PHP's PDO library:
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
try {
$dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
$prep = $dbh->prepare('INSERT INTO item(title, link) VALUES(?, ?)');
$prep->execute( array($title, $link) );
Read more here: http://php.net/manual/en/pdo.prepare.php
PDO::prepare — Prepares a statement for execution and returns a statement object
The SQL statement can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed
