0

I have read a number of articles on str_replace() on here and other resources, and not found the answer to my problem.

Here’s the string I have a problem with which is stored in $title ...

Paul McCartney's Theme From The Film "The Honorary Consul”

Here’s the code I’m using ...

str_replace(‘“‘,’ ‘,$title);

For some reason, the code above is completely ignoring this string, and a number of others similar.

I think it may be because of the Apostrophe as the above code works fine for strings which don’t have apostrophe’s as part of the text.

I need to keep the apostrophe in the title, but I’m not so worried about the “

However, if someone can suggest a way to keep both, in the same string, and add the whole string in a MySQL INSERT command string, that would be the best result for me.

Rich Starkie
  • 45
  • 9
  • 1
    USE PREPARED PDO STATEMENTS!!!! You don't need to worry about this with prepared statements. If you are not using them - you should start immediately as you probably are open to SQL injection. – tftd Jun 30 '18 at 22:50
  • @tftd can you post an example?] – Rich Starkie Jun 30 '18 at 22:51
  • 1
    @RichStarkie http://php.net/manual/en/pdo.prepared-statements.php – Hyyan Abo Fakher Jun 30 '18 at 22:54
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – user3783243 Jul 01 '18 at 02:23
  • The guys above have already posted more than enough. And because you might get confused at some point should you pdo `exec` or `execute` - this is an extra bonus https://stackoverflow.com/questions/26849105/pdoexec-or-pdoexecute. :D – tftd Jul 01 '18 at 08:47

2 Answers2

0

You can use PDO::quote

On php.net are good examples, just look on manual.

Los Vitaly
  • 21
  • 3
0

Try it this way:

$title = 'Paul McCartney\'s Theme From The Film "The Honorary Consul”';
str_replace('”',' ', $title);

Anyway, I would recommend you to use Prepared Statements to insert your data.

Follow this example: https://www.w3schools.com/php/php_mysql_prepared_statements.asp

Reza Saadati
  • 5,018
  • 4
  • 27
  • 64
  • I would escape the `’` if i could, but the `$title` variable comes from an API (from a highly trusted and well respected source) – Rich Starkie Jun 30 '18 at 23:04
  • @RichStarkie what does var_dump($title) return? Probably it is already escaped. – Reza Saadati Jun 30 '18 at 23:09
  • @RichStarkie ok, you don't need to escape it. Just use the second line of my code. You have been using the character `‘`, which is wrong. It should be `'`. – Reza Saadati Jun 30 '18 at 23:15
  • thats the command I'm already using, but its not working :( it appears the SO app doesn't translate `'` properly :( – Rich Starkie Jun 30 '18 at 23:17
  • @RichStarkie what does `var_dump(str_replace('”',' ', $title));` return? – Reza Saadati Jun 30 '18 at 23:19
  • will have to run the whole script, which will take an hour or so, (this record is about a quarter of the way though the data set) the MySQL statement though is `INSERT INTO tablename ( trackId, releaseID, trackTitle, artistId, trackPosition) VALUES ('3820941 - 0002', '3820941', 'Paul McCartney's Theme From The Film "The Honorary Consul"', '273394', 'A2' )` – Rich Starkie Jun 30 '18 at 23:23
  • `string(58) "Paul McCartney's Theme From The Film "The Honorary Consul"" ` is the response @reza – Rich Starkie Jun 30 '18 at 23:39
  • 1
    @RichStarkie So you don't have `”` you have a `"`. But anyways don't fix that, this isn't the answer. Do it the right way, parameterize your query. – user3783243 Jul 01 '18 at 02:24