-7
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";

Im trying to put hold'em no limit into a SQL database but it won't let me use ' i cant upload holdem no limit for a long list resones that have to do with the rest of my code.

gus
  • 1,678
  • 2
  • 12
  • 11
  • I'm confused why this is marked as a duplicate for an SQL injection question. To me this clearly asking for a way to write `hold'em` without breaking his SQL statement... – Webeng Apr 24 '16 at 02:39
  • You urgently need to read up on [proper escaping methods](http://bobby-tables.com/php.html) and should use **prepared statements** if that's an option. – tadman Apr 24 '16 at 02:45
  • @tadman would `$type_of_poker = "hold''em no limit";` be the right solution? I read that this is the method to escape single quotes in SQL, and I haven't read on other methods, not sure if \' would work since that too might be considered text. – Webeng Apr 24 '16 at 02:54
  • 1
    @Webeng You shouldn't have to concern yourself with how to escape things. Trust the database driver to do it for you. In this case the solution is, as always, prepared statements. They mean you don't have to guess how to do it. – tadman Apr 24 '16 at 03:05
  • 1
    @tadman Wait so... if I prepare the statement and bind the parameter `$type_of_poker = "hold'em no limit"` then I won't even need to escape the apostrophe? – Webeng Apr 24 '16 at 03:09
  • see Phil's comment http://stackoverflow.com/questions/26247399/string-with-an-apostrophe-not-being-updated-in-mysqli#comment41173374_26247460 – Drew Apr 24 '16 at 03:15
  • @Webeng If you're using prepared statements you can put in anything you want without worrying and it will be saved correctly. That's why they're so important. It's not that you don't have to do it, but that you shouldn't, it might lead to double escaping later. – tadman Apr 24 '16 at 03:18
  • @tadman thanks for the info dude! learned something useful today. my answer has been updated gus – Webeng Apr 24 '16 at 03:31

1 Answers1

1

Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):

$type_of_poker = "hold'em no limit";

//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();

Let me know if that worked for you! :)

Webeng
  • 7,050
  • 4
  • 31
  • 59
  • @Federico I have modified my answer. Would that be the proper way to escape the apostrophe or would you recommend a better method? – Webeng Apr 24 '16 at 02:56
  • @Federico added prevention for sql injection. would my answer be appropriate now or anything missing in your opinion? I'm always open to learning when I get the chance – Webeng Apr 24 '16 at 03:01
  • That should work in PDO, which in my opinion is the best way to start here. – tadman Apr 24 '16 at 03:53
  • @tadman awesome, thanks for the input – Webeng Apr 24 '16 at 04:06