codeigniter : searching string with quotes( ' or " ) showing error

Question

i am try to implement a search that but it shows error when I use Single Quotes like (manu's ,ramu's)

When I change my term part like %".$term."% and use back quotes it shows same error.

Query :

 $this->db->select('*');    
 $this->db->from('tbl_doctor');  
 $this->db->join("tbl_specialisation", "tbl_specialisation.spec_id = tbl_doctor.spec_id",'left');
 $this->db->where("(tbl_doctor.dr_name LIKE `%".$term."%` OR tbl_doctor.district LIKE `%".$term."%` OR tbl_specialisation.spec_specialise LIKE `%".$term."%`OR tbl_doctor.place LIKE `%".$term."%` )");
 $this->db->limit($limit, $offset);

and my error

use mysql_real_escape_string($term) and try – Rp9 Feb 09 '18 at 05:34 — Rp9, Feb 09 '18 at 05:34
Use `$this->db->escape_like_str()` to escape the string. – Ravi Sachaniya Feb 09 '18 at 05:49 — Ravi Sachaniya, Feb 09 '18 at 05:49

Touheed Khan · Accepted Answer · 2020-09-21T07:43:21.017

You need escape string before including it inside query string. Use $this->db->escape_like_str() to escape string.

As you asked "why?", here is the explanation.

Explanation : When you are trying to add anu's in your search query its single quote(') is getting treated as end of string. escape_like_str() will automatically add slash() before any quote to prevent string from unintended termination. Escape That's why you need to escape the string before adding it inside your query.

$this->db->select('*');    
$this->db->from('tbl_doctor');  
$this->db->join("tbl_specialisation", "tbl_specialisation.spec_id = tbl_doctor.spec_id",'left');
$this->db->where("(tbl_doctor.dr_name LIKE '%".$this->db->escape_like_str($term)."%' OR tbl_doctor.district LIKE '%".$this->db->escape_like_str($term)."%' OR tbl_specialisation.spec_specialise LIKE '%".$this->db->escape_like_str($term)."%'OR tbl_doctor.place LIKE '%".$this->db->escape_like_str($term)."%' )"); 
$this->db->limit($limit, $offset);

score 1 · Answer 2 · edited Feb 09 '18 at 06:01

You need to use Escape String to search. Try this below code with codeigniter function

$this->db->escape_like_str($term)

New Code is

$this->db->select('*');    

$this->db->from('tbl_doctor');  

$this->db->join("tbl_specialisation", "tbl_specialisation.spec_id = tbl_doctor.spec_id",'left');

$this->db->where("(tbl_doctor.dr_name LIKE `%".$this->db->escape_like_str($term)."%` OR tbl_doctor.district LIKE `%".$this->db->escape_like_str($term)."%` OR tbl_specialisation.spec_specialise LIKE `%".$this->db->escape_like_str($term)."%`OR tbl_doctor.place LIKE `%".$this->db->escape_like_str($term)."%` )"); 

$this->db->limit($limit, $offset);

score 1 · Answer 3 · answered Feb 09 '18 at 05:48

1

You need to escape the string. Use $this->db->escape_like_str().

Try this code :

$this->db->escape_like_str($term);

answered Feb 09 '18 at 05:48

Ravi Sachaniya

1,641
18
20

score -1 · Answer 4 · answered Feb 09 '18 at 05:37

-1

Wrap $term variable with mysql_real_escape_string() in query.

Like : mysql_real_escape_string($term)

Source

answered Feb 09 '18 at 05:37

Param Bhat

470
1
6
17

codeigniter : searching string with quotes( ' or " ) showing error

4 Answers4