SQL, PHP functions and apostrophe

Question

I've built a website were I can enter data into an SQL database using php. The problem is when the user enter's an apostrophe the function crashes (SQL reasons). I think a work around would be to sanitise the script or use majic quotes in my php function (which I've attached at the end). I'm new to php and totally lost if this is the correct approach. If any one can point me in the right direction I'd really appreciate it. Allan

PHP function;

    function insert_wisha($wisherID, $description, $duedate, $Location, $Time, $Price, $Details) {
    $description = $this->real_escape_string($description);
    if ($this->format_date_for_sql($duedate) == null) {
        $this->query("INSERT INTO wishes (wisher_id, description, Location, Time, Price, Details)" .
                " VALUES (" . $wisherID . ", '" . $description . "' ,'" . $Location . "', '" . $Time . "' , '" . $Price . "', '" . $Details . "')");
    } else
        $this->query("INSERT INTO wishes (wisher_id, description, due_date, Location, Time, Price, Details)" .
                " VALUES (" . $wisherID . ", '" . $description . "', "
                . $this->format_date_for_sql($duedate) . ", '" . $Location . "', '" . $Time . "', '" . $Price . "','" . $Details . "')");
}

You didn't add single Quote (`'`) '". $this->format_date_for_sql($duedate) . "' So add this. — Manish, Sep 03 '16 at 13:56
I would advise you not to go ahead with your current code, it is prone to SQL injection. Use PDO instead. — user1149244, Sep 03 '16 at 14:03
PDO seemed like a good idea but I managed to solve the problem by something elese. In my code I have '$description = $this->real_escape_string($description)' This solves it for description by changing it to (for the one's I wanted); ' $Details = $this->real_escape_string($Details); $Location = $this->real_escape_string($Location);' I fixed it. Thanks for the input. — Allan W MacLeod, Sep 04 '16 at 12:06

SQL, PHP functions and apostrophe

0 Answers0