Inserting a name with ' in a MySQL table

Question

First time with this trouble when dealing with a MySQL table.

I'm inserting bar names in a table. If the bar is called "Tim's Bar" and I insert it straight away I get an error and the data is not inserted.

How do you instert properly the ' in the table?

@user712027, it sounds like you have a SQL-injection problem. See: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain — Johan, Apr 28 '11 at 09:18

score 7 · Accepted Answer · answered Apr 28 '11 at 09:00

7

Use mysql_real_escape_string():

answered Apr 28 '11 at 09:00

magma

1

This is the correct solution. This automates what the other answers do. – Dan Hanly Apr 28 '11 at 09:01

score 5 · Answer 2 · answered Apr 28 '11 at 09:05

5

Use PDO with prepared statements.

$query = $pdo->prepare('INSERT INTO bars (name) VALUES (?)');
$query->execute("Tim's Bar");

It's superior (and safer) than using the mysql(i)_* family of functions directly.

answered Apr 28 '11 at 09:05

Sander Marechal

score 0 · Answer 3 · answered Apr 28 '11 at 08:55

0

INSERT INTO your_table SET person_name = 'Tim\'s Bar';

Note the \'

answered Apr 28 '11 at 08:55

Michael J.V.

Masiar · Answer 4 · 2011-04-28T16:50:21.833

0

I believe you should insert it as 'Tim\'s Bar'.

Regards

edited Apr 28 '11 at 16:50

answered Apr 28 '11 at 08:56

Masiar

This is overkill, `"Tim's Bar"` or `'Tim\'s Bar'` will suffice – gnur Apr 28 '11 at 08:57

score 0 · Answer 5 · answered Apr 28 '11 at 09:14

0

addslashes() by the insert, and stripslashes() by the output would also work

answered Apr 28 '11 at 09:14

Flask

This is outright incorrect, on both counts. First, `addslashes` is *not* the way to escape data before inserting it into the database. Second, calling `stripslashes` on data going from the database to the screen is not only unnecessary, doing so will corrupt your data. – user229044 Apr 28 '11 at 17:25

5 Answers5