0

I need to use a select query but my code keeps crashing because some of the names have apostrophes in it. I pull all data into a table and half way through it just stops because it hits a apostrophe.

My select Query:

$query = mysqli_query($dbh,"select * FROM show_invoice where id_show='$get_id' and status='UNPAID' and scratch = 'Unscratched'and show_deleted != 'Deleted' ORDER BY 'class_no' ASC")

There are 3 columns that will possibly contain apostrophes. Any advice on how i can stop it from crashing.

Kirsten198
  • 1
  • 1
  • `$text = 'it\'s' ` This way – M A SIDDIQUI Jan 10 '17 at 13:05
  • Use addslashes of php – Rahul Jan 10 '17 at 13:05
  • 1
    You are open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries. This would also solve the issue you're having – M. Eriksson Jan 10 '17 at 13:05
  • 1
    Read about SQL Injection please. – Pipe Jan 10 '17 at 13:05
  • 1
    Using `addslashes()` is _**NOT even CLOSE**_ to enough to escape input data. Using Prepared Statemants is. – M. Eriksson Jan 10 '17 at 13:06
  • But you see, asker has been satisfied with my answer. – Rahul Jan 11 '17 at 05:55
  • @VforVendetta - Just because the OP likes it, it doesn't make it safe from SQL injection attacks. I'm not talking about if it will work for him right now. I'm talking about security. `addslashes()` isn't a secure way to escape input data. – M. Eriksson Jan 11 '17 at 05:59
  • But asker wants answer he haven't mentioned anything regarding security threats, iff on the point, I am trying to say – Rahul Jan 11 '17 at 06:01
  • @VforVendetta - Are you serious? You think it's a good idea to recommend insecure ways to do things because the OP, who probably has less experience, didn't specifically ask to prevent a type of attack he might not even know exists? There's _never_ an excuse to _knowingly_ write (or recommend writing) insecure code. – M. Eriksson Jan 11 '17 at 06:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/132871/discussion-between-v-for-vendetta-and-magnus-eriksson). – Rahul Jan 11 '17 at 06:11

1 Answers1

-1

You can use mysqli_real_escape_string.

So just do 

$get_id = mysqli_real_escape_string($dbh,$get_id);

before running your query.

Note: You should really use prepared statements instead of own queries because of risk of SQL injection attacks.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Yannick Huber
  • 607
  • 2
  • 16
  • 35