Search for query with Apostrophe where record is not escaped

Question

This is in mysql:

Column: Title
        ___________
        Children's

Code:

$result = mysql_query("SELECT * FROM bookings_css_multi_lang WHERE model='pjCourse' AND field = 'title' AND content LIKE '%".$searchTerm."%' LIMIT $start_from, $results_per_page");
while ($myrow = mysql_fetch_row($result))
{

https://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php — Don't Panic, Aug 17 '18 at 22:36

score 0 · Answer 1 · answered Aug 17 '18 at 22:41

If you really must use the obsolete mysql extension, you have to escape the inputs to prevent syntax errors like this. Use:

$searchTerm = mysql_real_escape_string($searchTerm);

before the query.

But you really should convert to mysqli or PDO`, which allow you to write parameterized queries. In PDO you would write this as:

$stmt = $pdo->prepare("
    SELECT * 
    FROM bookings_css_multi_lang 
    WHERE model='pjCourse' AND field = 'title' 
        AND content LIKE CONCAT('%', :search_term, '%')
    LIMIT :start_from, :results_per_page");
$stmt->bindParam(':search_term', $searchTerm);
$stmt->bindParam(':start_from', $start_from);
$stmt->bindParam(':results_per_page', $results_per_page);
$stmt->execute();
while($myrow = $stmt->fetch(PDO::FETCH_ASSOC)) {
    ...
}

Search for query with Apostrophe where record is not escaped

1 Answers1