-1

I have a variable $categoryName which has value ABC/ABC (for example). I nedd to add quotes around this text "ABC/ABC". This is my PHP code:

public function getCategoryID($categoryName)
    {
        $row = Db::getInstance()->getRow('
        SELECT `id_category`
        FROM ' . _DB_PREFIX_ . 'category_lang c
        WHERE c.`name` = ' . $categoryName);

        return isset($row['categoryName']);
    }

And the error from mysql.

SELECT `id_category`
        FROM ps_category_lang c
        WHERE c.`name` = ABC/ABC LIMIT 1

How to solve this problem ? Thanks for help.

Barmar
  • 741,623
  • 53
  • 500
  • 612
Przemysław Suszek
  • 90
  • 1
  • 1
  • 11
  • 4
    If you mean quotes, then quote it. However, learn how to use prepared statements and you'll never have to worry about quoting your variables again. I'm not sure which mysql API you're using, so you'll have to check the docs for that. – aynber Jul 17 '18 at 20:10
  • Can you explain where you are stuck? You have not quoted anything, and this should be fairly easy – Nico Haase Jul 17 '18 at 21:35

1 Answers1

1

Just put the quotes in the string.

    $row = Db::getInstance()->getRow('
    SELECT `id_category`
    FROM ' . _DB_PREFIX_ . 'category_lang c
    WHERE c.`name` = "' . $categoryName . '"');

As mentioned in the comments, it would be better if you used prepared statements to protect against SQL injection. If you can't do that, you should make sure to escape $categoryName properly.

See How can I prevent SQL injection in PHP?

Barmar
  • 741,623
  • 53
  • 500
  • 612