0
$insert = mysql_query("INSERT INTO tblmovie VALUES(' ', '$title', '$genre', '$duration', '$year', '$artists', '$director', '$description', '$name')");

This is my sql statement. The only thing wrong is that $title doesn't accept "Assassin's Creed" because it contains an apostrophe(') s resulting in sql syntax error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Creed', 'Action', '2:20:21', '2016', 'Michael Fassbender', 'Justin Kurzel', 'C' at line 1

How do I fix this?

Brentoy
  • 1
  • 4
  • [**Please, don't use `mysql_*` functions in new code**](http://stackoverflow.com/q/12859942). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://php.net/mysql-connect)? Learn about [*prepared statements*](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) can help you decide which. – Qirel Jul 19 '17 at 19:00
  • 1
    To continue building your statement with variables directly concatenated like that you will have to escape your single quote by sticking an extra single quote in front of it. However.... don't do that. Instead you should parameterize your sql statement using the mysqli_ or PDO functions. Doing this will protect you from SQL Injection attacks and fix the unescaped single quote issue you are experiencing with this code. Switch over to use `mysqli_` functions or PDO as `mysql_` functions are dangerous and deprecated. – JNevill Jul 19 '17 at 19:17

0 Answers0