0

I need to execute a sql query where I need to use a apostrophe because I search for an email address. When I now type the '' in the query they become a variable pointer but they should just tell mysql that this is a string.

How can I tell the program to use them in a different way? I already tried pdo->quote.

$statement = $pdo->prepare("SELECT user_id FROM tbl_server WHERE user_id = (SELECT user_id from tbl_user where Email = ':email') "); // here i need the normal apostrophe
$result = $statement->execute(array('email' => $email));
$user = $statement->fetch();
mickmackusa
  • 43,625
  • 12
  • 83
  • 136
Em_53
  • 13
  • 6
  • Possible duplicate of [PHP PDO prepared statements](https://stackoverflow.com/questions/1457131/php-pdo-prepared-statements) – mickmackusa Nov 06 '18 at 12:46

1 Answers1

4

You must not quote :email in the query; the database driver will determine how to handle the parameter because it knows the passed type and the column's type in the database. But you need to prepend the : to email when executing the parameterized query.

$statement = $pdo->prepare("SELECT user_id FROM tbl_server WHERE user_id = (SELECT user_id from tbl_user where Email = :email) "); // here i need the normal apostrophe
$result = $statement->execute(array(':email' => $email));
$user = $statement->fetch();

By the way you should check whether $result is true or false, also your query might deliver an empty result set. So you should check whether $user === false (i.e. no user found) after fetching.

The Coprolal
  • 896
  • 8
  • 8