191

The MySQL documentation says that it should be \'. However, both scite and mysql shows that '' works. I saw that and it works. What should I do?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
user4951
  • 32,206
  • 53
  • 172
  • 282
  • 1
    Are you talking about whether `''` or `\'` is correct? – Raptor Mar 07 '12 at 06:11
  • `\'` is MySQL specific while `''` is ANSI SQL compliant if I'm not mistaken – apokryfos Oct 20 '15 at 11:32
  • Depending on the implementation of SQL;- ' '\'' , ' \'' , and sometimes '[ ']'' will allow a break out from the code. On top of this any number of unicode ' replacements will bypass this check. The whole game here is abusing the quality of '' based escaping that it requires the final ' count to be even rather than odd. If it ends up odd by mashing multiple escape methods into each other, you can defeat the escaping and inject raw SQL. Moral of the story: NEVER use string interpolation, ALWAYS use prepared statements. – Shayne Apr 16 '19 at 07:13

10 Answers10

245

The MySQL documentation you cite actually says a little bit more than you mention. It also says,

A “'” inside a string quoted with “'” may be written as “''”.

(Also, you linked to the MySQL 5.0 version of Table 8.1. Special Character Escape Sequences, and the current version is 5.6 — but the current Table 8.1. Special Character Escape Sequences looks pretty similar.)

I think the Postgres note on the backslash_quote (string) parameter is informative:

This controls whether a quote mark can be represented by \' in a string literal. The preferred, SQL-standard way to represent a quote mark is by doubling it ('') but PostgreSQL has historically also accepted \'. However, use of \' creates security risks...

That says to me that using a doubled single-quote character is a better overall and long-term choice than using a backslash to escape the single-quote.

Now if you also want to add choice of language, choice of SQL database and its non-standard quirks, and choice of query framework to the equation, then you might end up with a different choice. You don't give much information about your constraints.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Jim DeLaHunt
  • 10,960
  • 3
  • 45
  • 74
56

Standard SQL uses doubled-up quotes; MySQL has to accept that to be reasonably compliant.

'He said, "Don''t!"'
Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
  • 1
    +1. Where does it say that it should be escaped by '' not http://dev.mysql.com/doc/refman/5.0/en/string-literals.html#character-escape-sequences – user4951 Mar 07 '12 at 06:19
  • It says 'may' rather than 'should', but the information is there (below the table): _There are several ways to include quote characters within a string: A “`'`” inside a string quoted with “`'`” may be written as “`''`”. A “`"`” inside a string quoted with “`"`” may be written as “`""`”. Precede the quote character by an escape character (“`\`”)._ – Jonathan Leffler Apr 26 '14 at 17:18
  • 1
    This is the best way to escape apostrophe by doubling it. – Alex _TNT Jun 02 '16 at 07:50
15

What I believe user2087510 meant was:

name = 'something'
name = name.replace("'", "\\'")

I have also used this with success.

user3169788
  • 159
  • 1
  • 3
10

There are three ways I am aware of. The first not being the prettiest and the second being the common way in most programming languages:

  1. Use another single quote: 'I mustn''t sin!'
  2. Use the escape character \ before the single quote': 'I mustn\'t sin!'
  3. Use double quotes to enclose string instead of single quotes: "I mustn't sin!"
Robert
  • 10,126
  • 19
  • 78
  • 130
  • My personal preference would be `\'` as it is used by so many programming languages, but `''` is supported by more SQL dialects, so using option 1 is better for compatibility. Sqlite for example doesn't work with backslash escapes. – okdewit Dec 06 '18 at 13:59
7

just write '' in place of ' i mean two times '

SimonSimCity
  • 6,415
  • 3
  • 39
  • 52
MRRaja
  • 1,073
  • 12
  • 25
6

Here's an example:

SELECT * FROM pubs WHERE name LIKE "%John's%"

Just use double quotes to enclose the single quote.

If you insist in using single quotes (and the need to escape the character):

SELECT * FROM pubs WHERE name LIKE '%John\'s%'
Overkillica
  • 392
  • 2
  • 7
1

Possibly off-topic, but maybe you came here looking for a way to sanitise text input from an HTML form, so that when a user inputs the apostrophe character, it doesn't throw an error when you try to write the text to an SQL-based table in a DB. There are a couple of ways to do this, and you might want to read about SQL injection too. Here's an example of using prepared statements and bound parameters in PHP:

$input_str = "Here's a string with some apostrophes (')";
// sanitise it before writing to the DB (assumes PDO)
$sql = "INSERT INTO `table` (`note`) VALUES (:note)";
try {
    $stmt = $dbh->prepare($sql);
    $stmt->bindParam(':note', $input_str, PDO::PARAM_STR);
    $stmt->execute();
} catch (PDOException $e) {
    return $dbh->errorInfo();
}
return "success";

In the special case where you may want to store your apostrophes using their HTML entity references, PHP has the htmlspecialchars() function which will convert them to '. As the comments indicate, this should not be used as a substitute for proper sanitisation, as per the example given.

Grindlay
  • 571
  • 5
  • 8
  • Encoding is not for storing, it is for displaying. Use prepared statements. – mickmackusa May 02 '20 at 04:28
  • I agree that prepared statements are the gold standard for security and reliability. I was highlighting a specific case where you may want to store text data as HTML, in which case my method is in addition to using bound parameters, rather than instead of. HTML in, HTML out. – Grindlay May 04 '20 at 12:04
  • I think your answer starts to make a good point, and then sags. In cases like this where the 'simple option' is a fatal flaw, don't recommend it, especially to newbies. – Regular Jo Feb 01 '21 at 22:33
0

Replace the string 

value = value.replace(/'/g, "\\'");

where value is your string which is going to store in your Database.

Further,

NPM package for this, you can have look into it

https://www.npmjs.com/package/mysql-apostrophe

Ashutosh Jha
  • 15,451
  • 11
  • 52
  • 85
  • Please don't just post some tool or library as an answer. At least demonstrate [how it solves the problem](http://meta.stackoverflow.com/a/251605) in the answer itself. – Baum mit Augen Sep 19 '17 at 11:24
  • That's not going to work. You forgot to escape things. replace(/\'/g, "\\\'") – Michael Jun 06 '19 at 22:11
0

I think if you have any data point with apostrophe you can add one apostrophe before the apostrophe

eg. 'This is John's place'

Here MYSQL assumes two sentence 'This is John' 's place'

You can put 'This is John''s place'. I think it should work that way.

Priyanka Pandhi
  • 11
  • 2
-2

In PHP I like using mysqli_real_escape_string() which escapes special characters in a string for use in an SQL statement.

see https://www.php.net/manual/en/mysqli.real-escape-string.php

will
  • 153
  • 3
  • 6
  • **Never do this**. Always use `prepared statements` / `bound parameters,` your SQL should NEVER contain a raw parameter from the language (PHP / Java / C# / Anything) – Regular Jo Feb 01 '21 at 22:36