0

Really hope somebody can assist. I am getting a text input field from a form in the database it has the following value "Pieter's School" and its giving me an error in my sql query.

The error is as follows - WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's School' and e.user_id = 397 and em.meta_value = 771089001000 ORDER BY em.cr...'

I presume its because it takes the " ' " as the end of the string. I am not sure how to escape or get this working.

Here is my select statement -

$entry_ids = $wpdb->get_col("SELECT e.id FROM ". $wpdb-> prefix ."frm_items e LEFT JOIN ". $wpdb->prefix ."frm_item_metas em ON (em.item_id = e.id) WHERE e.form_id = 7 and e.name = '$schoolname' and e.user_id = $user_id and em.meta_value = $schoolhopperid ORDER BY em.created_at DESC");

Judy
  • 1
  • 1
  • 1
    Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Nico Haase Jul 01 '20 at 09:48

1 Answers1

-1

Escape the apostrophe in the string with mysqli_real_escape_string():

Documentation: https://www.php.net/manual/de/mysqli.real-escape-string.php

Taazar
  • 1,545
  • 18
  • 27
Fabian-ep
  • 1