How to add ' ' to php variable in query

Question

Hello i have this simple query

$query = "SELECT id FROM `client` where name= ".$user_name;

Now the query is printed

select id from client where name = Bob;

when in fact it should be

select id from client where name = 'Bob';

how can i add single quotes in the php variable?

Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Ainz, Jul 07 '22 at 07:45
presumably `name` contains a `string` rather than a `number` so you would, at the very least, require quotes around the value in the sql statement. As for `Its okay to injection its just a simple query` - better to learn the correct way and apply that for every occasion than use vulnerable code — Professor Abronsius, Jul 07 '22 at 08:12
@ProfessorAbronsius i know how to protect against sql injection but this is for a work that im not being valuated a lot so i dont care for the security] — , Jul 07 '22 at 09:17
Seems like a good career decision to deliberately introduce flaws into your code '-) — Professor Abronsius, Jul 07 '22 at 14:54
@ProfessorAbronsius it is a good career decision when the company doesnt respect the workers why should the workers respect the company? — , Jul 08 '22 at 07:29

score 1 · Accepted Answer · answered Jul 07 '22 at 07:47

1

I warned you and you are fine to sql injection then just try this.

$query = "SELECT id FROM `client` where name= '".$user_name."'";

answered Jul 07 '22 at 07:47

Ainz

2

or just this $query = "SELECT id FROM `client` where name= '$user_name' "; – Farajayh Jul 07 '22 at 09:10

1 Answers1