0

Im here to ask a solution about my little problem. I want to insert data from API to SQL. But while inserting data there is an error 1064 which say there is error on SQL syntax.

i check it and i found it there is a data contains apostrophe like '34814361', 'YUNIASTI DEBORA LAURENS '/bp ',

Since i can't edit the data (because i grab it from API), so i cannot use double apostrophe

Here is my code

function grab_data(){
    ini_set('max_execution_time', 3000); //3000 seconds = 50 minutes
    $datenow = date("d/m/Y");

    //initiaize
    $ch = curl_init();
    //set the url
    $url = 'https://starclick.telkom.co.id/backend/public/api/tracking?_dc=1491402261173&ScNoss=true&SearchText=NTT&Field=ORG&Fieldstatus=&Fieldwitel=&StartDate=&EndDate='.$datenow.'&page=1&start=0&limit=10000';
    // Disable SSL verification
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    // Will return the response, if false it print the response
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    // Set the url
    curl_setopt($ch, CURLOPT_URL,$url);
    // Execute
    $result=curl_exec($ch);
    // Closing
    curl_close($ch);


    // Will dump a beauty json :3
    $data = json_decode($result, true);
    echo count($data['data']);

    for ($i = 0; $i < count($data['data']); $i++) {
        $var_order_id = $data['data'][$i]['ORDER_ID'];
        $var_order_date = $data['data'][$i]['ORDER_DATE'];
        $var_order_status = $data['data'][$i]['ORDER_STATUS'];
        $var_order_date_ps = $data['data'][$i]['ORDER_DATE_PS'];
        $var_extern_order_id = $data['data'][$i]['EXTERN_ORDER_ID'];
        $var_ncli = $data['data'][$i]['NCLI'];
        $var_customer_name = $data['data'][$i]['CUSTOMER_NAME'];
        $var_ins_address = $data['data'][$i]['INS_ADDRESS'];
        $var_city_name = $data['data'][$i]['CITY_NAME'];
        $var_speedy = $data['data'][$i]['SPEEDY'];
        $var_pots = $data['data'][$i]['POTS'];
        $var_witel = $data['data'][$i]['WITEL'];
        //$var_package_id = $data['data'][$i]['PACKAGE_ID'];
        $var_agent_id = $data['data'][$i]['AGENT_ID'];
        $var_gps_latitude = $data['data'][$i]['GPS_LATITUDE'];
        $var_gps_longitude = $data['data'][$i]['GPS_LONGITUDE'];
        $var_package_name = $data['data'][$i]['PACKAGE_NAME'];
        $var_customer_addr = $data['data'][$i]['CUSTOMER_ADDR'];
        $var_jenispsb = $data['data'][$i]['JENISPSB'];
        $var_source = $data['data'][$i]['SOURCE'];
        $var_extern_order_status = $data['data'][$i]['EXTERN_ORDER_STATUS'];
        $var_phone_no = $data['data'][$i]['PHONE_NO'];
        $var_loc_id = $data['data'][$i]['LOC_ID'];
        $var_xs2 = $data['data'][$i]['XS2'];
        $var_contact_hp = $data['data'][$i]['CONTACT_HP'];
        $var_contact_email = $data['data'][$i]['CONTACT_EMAIL'];
        $var_odp_id = $data['data'][$i]['ODP_ID'];
        $var_tn_number = $data['data'][$i]['TN_NUMBER'];
        $var_reserve_tn = $data['data'][$i]['RESERVE_TN'];
        $var_reserve_port = $data['data'][$i]['RESERVE_PORT'];
        $var_kodefikasi_sc = $data['data'][$i]['KODEFIKASI_SC'];
        $var_status_resume = $data['data'][$i]['STATUS_RESUME'];
        $var_status_code_sc = $data['data'][$i]['STATUS_CODE_SC'];
        $var_open_draft = $data['data'][$i]['OPEN_DRAFT'];
        $var_kcontact = $data['data'][$i]['KCONTACT'];
        $var_no_hp = $data['data'][$i]['NO_HP'];
        $var_email = $data['data'][$i]['EMAIL'];
        $var_username = $data['data'][$i]['USERNAME'];
        $var_rnum = $data['data'][$i]['RNUM'];

        //insert into mysql table
        $sql = "INSERT INTO `tabelscntt`(
                    `order_id`, 
                    `order_date`, 
                    `order_status`, 
                    `order_date_ps`, 
                    `extern_order_id`, 
                    `ncli`, 
                    `customer_name`, 
                    `ins_address`, 
                    `city_name`, 
                    `speedy`, 
                    `pots`, 
                    `witel`, 
                    /*`package_id`, */
                    `agent_id`, 
                    `gps_latitude`, 
                    `gps_longitude`, 
                    `package_name`, 
                    `customer_addr`, 
                    `jenispsb`, 
                    `source`, 
                    `extern_order_status`, 
                    `phone_no`, 
                    `loc_id`, 
                    `xs2`, 
                    `contact_hp`, 
                    `contact_email`, 
                    `odp_id`, 
                    `tn_number`, 
                    `reserve_tn`, 
                    `reserve_port`, 
                    `kodefikasi_sc`, 
                    `status_resume`, 
                    `status_code_sc`, 
                    `open_draft`, 
                    `kcontact`, 
                    `no_hp`, 
                    `email`, 
                    `username`, 
                    `rnum` 
                    )VALUES(
                    '".$var_order_id."', 
                    '".$var_order_date."', 
                    '".$var_order_status."', 
                    '".$var_order_date_ps."', 
                    '".$var_extern_order_id."', 
                    '".$var_ncli."', 
                    '".$var_customer_name."', 
                    '".$var_ins_address."', 
                    '".$var_city_name."', 
                    '".$var_speedy."', 
                    '".$var_pots."', 
                    '".$var_witel."', 
                    '".$var_agent_id."', 
                    '".$var_gps_latitude."', 
                    '".$var_gps_longitude."', 
                    '".$var_package_name."', 
                    '".$var_customer_addr."', 
                    '".$var_jenispsb."', 
                    '".$var_source."', 
                    '".$var_extern_order_status."', 
                    '".$var_phone_no."', 
                    '".$var_loc_id."', 
                    '".$var_xs2."', 
                    '".$var_contact_hp."', 
                    '".$var_contact_email."', 
                    '".$var_odp_id."', 
                    '".$var_tn_number."', 
                    '".$var_reserve_tn."', 
                    '".$var_reserve_port."', 
                    '".$var_kodefikasi_sc."', 
                    '".$var_status_resume."', 
                    '".$var_status_code_sc."', 
                    '".$var_open_draft."', 
                    '".$var_kcontact."', 
                    '".$var_no_hp."', 
                    '".$var_email."', 
                    '".$var_username."', 
                    '".$var_rnum."' 
                    )";

        $this->db->query($sql); 


    }
}

How can i solve this case? any idea? Thanks anyway

Fayyadh
  • 1
  • 1
  • You also are open to SQL injections. Both issues are fixed the same way. – chris85 Aug 15 '17 at 02:56
  • 1
    Read [How can I prevent SQL Injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Using prepared statements/placeholders will solve your apostrophe issues as well as sanitize your user data – Sean Aug 15 '17 at 02:57
  • in that case they know that value where contains aposthrophe in name column. But in my case i don't even know where's value that contains apostrophe. Maybe in name column, maybe in address column – Fayyadh Aug 15 '17 at 03:14
  • **Use prepated statements with placeholder values**. This is not something you want to debate about. The people who will crack open your site, steal your database, and trash your server do not care. You should. – tadman Aug 15 '17 at 03:48
  • **WARNING**: This has some severe [SQL injection bugs](http://bobby-tables.com/) because user data is used inside the query. Whenever possible use **prepared statements**. These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. **NEVER** put `$_POST`, `$_GET` or any user data directly in your query. – tadman Aug 15 '17 at 03:49
  • SOLVED just use string mysql_escape_string ( string $unescaped_string ) – Fayyadh Aug 15 '17 at 04:00
  • `mysql_escape_string` doesnt work with `mysqli` nor `pdo`. Parameterize. – chris85 Aug 15 '17 at 04:01

0 Answers0