insert sql {"title": {...}} - escape?

Question

I'd like to insert the following to my database:

"INSERT INTO `table` (`column1`, `column2`, `column3`) VALUES (1, 2, '{"title": {"abc1":def","abc2":"def2" ...}}')";

How can I achieve that? I guess I have to escape the string but I haven't figured it out yet.

A quick search found this: https://ubiq.co/database-blog/how-to-escape-single-quote-special-characters-in-mysql/ and this https://stackoverflow.com/questions/2687866/escaping-single-quote-in-php-when-inserting-into-mysql. Maybe try those suggestions? — Sumner Evans, Feb 01 '21 at 07:00
Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Amin Gheibi, Feb 01 '21 at 07:57

score 0 · Answer 1 · answered Feb 01 '21 at 07:06

Prepared statements is what you want.

  $stmt = $pdo->prepare('
Insert Into
    table
SET
    column1=:col1Val,
    column2=:col2Val,
    column3=:col3Val
';
  $stmt->execute([
    ':col1Val'=>'Value',
    ':col2Val'=>$someVar,
    ':col3Val'=>'{"title": {...}}'
  ]);
if($stmt->rowCount() > 0){
    echo 'Row Inserted<br>';
} else {
    echo 'Row Not Inserted<br>';
}

score -2 · Answer 2 · answered Feb 01 '21 at 07:09

-2

for example

Insert Into Person_Table (Firstname,Lastname,Age) Values ('Sahand','Golpour',25)

Use quotation marks only for the string data type

answered Feb 01 '21 at 07:09

Sahand Golpour

1

2

This doesn't answer their question in any way. – M. Eriksson Feb 01 '21 at 07:11

insert sql {"title": {...}} - escape?

2 Answers2