Insert Query Bug

Question

I'm trying to insert a string into the database , but when it contains single quote('), the query becomes invalid.

$set_content=$_POST['content']; 

$result = pg_query($db,"INSERT INTO programmes(title,picture,content) VALUES('$set_title','$pic_path','$set_content');");

Instead of making yourself vulnerable to SQL Injection, use prepared statements and you won't have this problem: http://php.net/manual/en/function.pg-prepare.php — Jeremy Harris, May 25 '17 at 13:10
you can't use PHP variable inside single quote. try with below query $set_content=$_POST['content']; $result = pg_query($db,"INSERT INTO programmes(title,picture,content) VALUES('".$set_title."','".$pic_path."','".$set_content."');"); — Gyaneshwar Pardhi, May 25 '17 at 13:14

score -1 · Accepted Answer · answered May 25 '17 at 13:11

-1

http://php.net/manual/en/function.pg-query.php

Warning

String interpolation of user-supplied data is extremely dangerous and is likely to lead to SQL injection vulnerabilities. In most cases pg_query_params() should be preferred, passing user-supplied values as parameters rather than substituting them into the query string.

$result = pg_query_params($db,"INSERT INTO programmes(title,picture,content) VALUES($1,$2,$3);",Array($set_title,$pic_path,$set_content));

answered May 25 '17 at 13:11

Vao Tsun

47,234
13
100
132

Thanks a lot!! It worked out. the query is passing perfectly now. – Rasik Mohammed May 25 '17 at 13:38
1

We shouldn't be answering such blatant duplicates. – Matteo Tassinari May 25 '17 at 13:48

Insert Query Bug

1 Answers1