0

As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database

    $b = "select * from doc";
    $rez1 = mysql_query($b) or die("<span>error</span>");
OunknownO
  • 1,186
  • 3
  • 21
  • 41
  • Never try to modify the client side data, you can't foresee all cases. Instead use proper escaping, so that you can work with that data without running into issues. This includes not using the totally outdated and deprecated `mysql_...()` functions but the current `mysqli` extension, learning about "prepared statements" and the advantages or "parameter binding". Also things like URL escaping come into play. – arkascha Oct 13 '16 at 09:04

1 Answers1

2

I'd recommend using escaping methods instead of manipulating the input.

This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)

Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead. If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()

Otherwise, you could use a regex that repaces ' with \' - preg_quote()

$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;

will return:

Something with \'quotes\'

Which will cause no problem during the insertion.

pguetschow
  • 5,176
  • 6
  • 32
  • 45
  • The isusse is that it's an old app that I'm maintaining for the moment unitl new one is up and running. And one of the clients has issues with upload. That's why I need older solution – OunknownO Oct 13 '16 at 09:16