0

Good Morning,

I have an issue with SQL Insert command from php. I'm trying the following code:

$TeamMatchTable = "INSERT INTO Team Match Table 
                  (LineupForward) VALUES ('$HomeLineupForward')";`

However the contents of the $HomeLineupForward variable is: Alexandre D'Acol;

This is resulting in an error because of the '.

What can I do to solve this problem?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Justin Spiteri
  • 47
  • 4
  • You should not quote your column name and you should definitely use a prepared statement. – jeroen Jan 27 '16 at 09:08
  • 1
    Is the table really called `Team Match Table` with spaces? Also, `LineupForward` should not be surrounded by single quotes but backticks. – Joachim Isaksson Jan 27 '16 at 09:08
  • You can have a look on, http://php.net/manual/en/function.addslashes.php and http://stackoverflow.com/questions/6269188/how-to-escape-only-single-quotes for characters that need to be escaped. – Anil Jan 27 '16 at 09:16
  • How are you connecting to the database? `PDO` or `mysqli_` or `mysql_*` – RiggsFolly Jan 27 '16 at 09:22
  • 1
    Since you're basically SQL injecting yourself, I marked this as a duplicate. – Joachim Isaksson Jan 27 '16 at 09:23

1 Answers1

0

You can try this. 

$HomeLineupForward= mysql_real_escape_string($HomeLineupForward);

$TeamMatchTable = "INSERT INTO Team Match Table ('LineupForward') VALUES ('$HomeLineupForward')";
Tariq Husain
  • 559
  • 5
  • 23