htmlspecialchars doesn't work with prepare(query)

Question

I'm trying to make a query with PHP but my apostrophes are automatically converted to #039; by $repBdd and so the query doesn't work. However, when I do my echo, it is the ' that are displayed.

Do you know how to fix this?

$pseudo = addslashes($_GET['pseudo']);
$mdp = addslashes($_GET['mdp']);

$query = "select * from utilisateur where pseudo='".$pseudo."' and motdepasse ='".$mdp."'";
echo(htmlspecialchars($query);
$repBdd = $bdd->prepare(htmlspecialchars($query, ENT_QUOTES));
$repBdd->execute();
$result = $repBdd->fetch();
$repBdd->closeCursor();```

I'd recommend reading the manual pages for `addslashes` and `htmlspecialchars`, and learning what they are designed to do. There's no need for either of them to be anywhere near database code. Then read up about prepared statements, and how to use query placeholders. [This question](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and [this question](https://stackoverflow.com/questions/38411112/using-htmlspecialchars-function-with-pdo-prepare-and-execute?rq=1) might be useful. — iainn, Jun 05 '22 at 15:31

score 0 · Answer 1 · answered Jun 05 '22 at 15:25

0

I recommands you to only use " htmlspecialchars " on $pseudo and motdepasse , you can't use it on the all Query without breaking the request.

Also you can use the filter_input directly on $_GET['yourData']

answered Jun 05 '22 at 15:25

Jumper d'enfer

156
4

htmlspecialchars doesn't work with prepare(query)

1 Answers1