1

Possible Duplicate:
apostrophes are breaking my mysql query in PHP

I asked a friend to test my site and his surname had a ' . O'Rourke so I got error with syntax around Rourke. Obviously caused by the apostrophe.

How do I prevent this from happening so he can register to my site?

$name = $user_profile[name];

mysql_select_db("gamedb", $con);

$sql="INSERT IGNORE INTO Users (FID, Name, Date) VALUES ('$fid','$name',NOW())";

Does escaping solve the issue? I couldn't actually try escaping it since the name is retrieved from the usr facebook account.

Thanks

Community
  • 1
  • 1
lisovaccaro
  • 32,502
  • 98
  • 258
  • 410
  • 1
    In addition to this being a dup of the above, you *really* want to click on the link in the answer to that post regarding SQL Injection. – Brian Roach Sep 02 '11 at 04:11
  • 2
    This isn't really the first time this has been explained to you? http://stackoverflow.com/questions/6880490/how-do-i-retrieve-escaped-strings-from-db – mario Sep 02 '11 at 04:12

5 Answers5

3

Use Prepared statements. That'll automatically handle input escaping. The current INSERT is open to a SQL injection attack. Check out mysqli_stmt::prepare()

Sahil Muthoo
  • 12,033
  • 2
  • 29
  • 38
1

Use mysql_real_escape_string() for the variables

$sql = "INSERT IGNORE INTO Users (
          FID, 
          Name, 
          Date
        ) VALUES (
          '" . mysql_real_escape_string($fid) . "',
          '" . mysql_real_escape_string($name) . "',
          NOW()
        )";
Rolando Cruz
  • 2,834
  • 1
  • 16
  • 24
0

Escape the string with:

$name = mysql_escape_string($user_profile[name]);

This prevent sql injection

tttony
  • 4,944
  • 4
  • 26
  • 41
0

you should use mysql_real_escape_string($sql) before you insert a row

s.webbandit
  • 16,332
  • 16
  • 58
  • 82
0

you need to use mysql_real_escape_string function in php. You can see the details here http://php.net/manual/en/function.mysql-real-escape-string.php

user555742
  • 68
  • 6