Trouble using double and single quotes in mySQL statement with single quoted items in field

Question

$_SESSION['ddv'] (or $all_ddv) is a string of names like this : 'name 1', 'name 2', etc. (notice the single quotes). I need this field to be stored exactly like this (with ' and ,) because I recall it later on with a query looking like : SELECT * FROM ".$tbl." WHERE voix IN (field ddv)

The problem is that each name (between single quotes and separated by a comma) is treated as a new field entry and I get SQL error 1136 - wrong field count.

I tried every possible combinations of ", ', , to no avail... Table structure : num, pseudo, title, ddv, visible (trouble is withddv field`)

<?php
//Save the selection to table book_perso
if(isset($_GET["session_save_ddv"])) {
    $all_ddv = $_SESSION['ddv'];
    echo 'ECHO $all_ddv for debugging : '.$all_ddv.'<br>';
    $sql = "INSERT INTO livres_perso VALUES ('num','$_GET[pseudo]', '$_GET[title]', '$all_ddv','0')";
    if (mysql_query($sql)) {
        echo "New record created successfully !";
    } else {
        echo "** Error: " . $sql . "<br>" . mysql_errno();
    }
}
?>

In table I want : 2 ¦ my pseudo ¦ my title ¦ 'john', 'anne', 'ed' ¦ 1 ¦

Answer 1

You should convert to PDO or MySQLI and use prepared statements instead of substituting variables into the SQL string. But until you can do that, you need to use mysql_real_escape_string() to escape strings, to prevent SQL injection and escape the quotes.

$pseudo = mysql_real_escape_string($_GET['pseudo']);
$title = mysql_real_escape_string($_GET['title']);
$all_ddv = mysql_real_escape_string($_SESSION['ddv']);
$sql = "INSERT INTO livres_perso VALUES ('num', '$pdeudo', '$title', '$all_ddv','0')";