0

I have this table on saprfc, and I import it into the sql server. But the person's name with (') does not enter the sql server. (Nanang Ma'ruf and Fat'khah Dwi)

  ID   |   FEE   |      NAME      |   PERIOD
000711 |  204000 |  YUDI MANDALA  |   201807
000790 |   84000 |  NANANG MA'RUF |   201807
001171 |  151500 |    SARJANA     |   201807
012314 |   89000 |  FAT'KHAH DWI  |   201807

my code:

foreach($tmp as $item) 
{ 
  $i++               
  $a[$i] = $item['id']; 
  $b[$i] = $item['FEE'];
  $c[$i] = $item['NAME'];
  $d[$i] = $item['PERIOD'];

  echo '<tr>';
  echo '<td>'. $item['ID'].'</td>';
  echo '<td>'. $item['FEE'].'</td>';
  echo '<td>'. $item['NAME'].'</td>';
  echo '<td>'. $item['PERIOD'].'</td>';
  echo '</tr>';
}
                ?>
                </tbody>
                </table>
            </div>
        </div> 
<?php
if (isset($_POST["import"]))
{
    if ($FI_HPs!=0)
    {
        for ($i=1;$i<=$FI_HPs;$i++)
        {
        $query = mssql_query("INSERT INTO SISDM (id, fee, name, period) VALUES ('$a[$i]','$b[$i]','$c[$i]','$d[$i]')");
        }
    }
}
jimmy
  • 19
  • 3
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – pr1nc3 Oct 25 '18 at 08:19

1 Answers1

1

You can use mysqli_real_escape_string().

PS: i'll use PDO instead of mssql_query(), 'cause it's removed in PHP7 so you can use PDO::quote() instead of previous escape function.

Blallo
  • 450
  • 3
  • 11