Passing special characters (') in DB query

Question

So i have a data base and in the app while the user searches for something with the ' character, like "wendy's house", i send a query with the WHERE as "wendy's house" and here is where it crushes.

I would like to know please what should i do with the string in order that ill be able to send it in the query and the result the user gets will stay unharmed.

Thanks in advance.

In the string you write 2 x quotes consecutively so instead of `'` you will write `''` - the result will be `'` — s3n0, May 22 '18 at 13:01
While escaping apostrophes may work, I think you want to look into prepared SQL statements. This just screams SQL injection to me. — nbokmans, May 22 '18 at 13:05
Thanks guys for your comments, problem solved. @nbokmans ill look into it thanks. — Itay Feldman, May 22 '18 at 13:12

score 1 · Accepted Answer · answered May 22 '18 at 12:57

1

Here you have an answer how to escape the apostrophe in your SQL:

INSERT INTO Person
    (First, Last)
VALUES
    ('Joe', 'O''Brien')
              /\
          right here

Or

SELECT First, Last FROM Person WHERE Last = 'O''Brien'

https://stackoverflow.com/a/1912100/2065587

answered May 22 '18 at 12:57

mmBs

8,421
6
38
46

1

Thank you very much for your answer! – Itay Feldman May 22 '18 at 13:11

Passing special characters (') in DB query

1 Answers1