-2

Hi i have a field to fill up Fullname that only allow alphabet, sign '(apostrophe), sign @ to type when I am trying using mysql, everything is okay, but when I want to send the data to another web services that use sql server.

The problem is sign ' (apostrophe) and give me error, because in sql script, there is script like Insert into table1 values ('','')

so how to replace sign ' (apostrophe) to ` (grave accent) before save to database

rzl21
  • 43
  • 1
  • 7
  • 1
    Please read [How to create a Minimal, Reproducible Example](https://stackoverflow.com/help/minimal-reproducible-example) and edit your question accordingly. You need to provide us with your attempt (the code you're having issues with), example data, expected results and what results you're currently getting. – M. Eriksson Jul 18 '19 at 06:40
  • You don't. As Verim wrote - you use [prepared statements and parameterized queries](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) - which prevents injection and fixes this problem. – SMor Jul 18 '19 at 11:55

1 Answers1

0

You just stumbled about an important security bug: your user input can influence your SQL Query. It's nice to see that you try to solve the problem for yourself but your solution still has problems: What happens if I send your server a malicious request with a Full name like Hans'; DELETE * FROM users --? This attack is called "SQL injection" and is one of the most common attacks on servers.

TL;DR: use ALWAYS prepared statements and you are save

Verim
  • 1,065
  • 9
  • 17