Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
673 views
in Technique[技术] by (71.8m points)

mysql - How do I handle single quotes inside a SQL query in PHP?

I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:

> NOTE:You have an error in your SQL syntax; 
>     check the manual that corresponds to your MySQL server 
>     version for the right syntax to use near 'B''' at line 1

The SELECT query is:

$result= mysql_query("SELECT s.name, 
                             s.sid as sid, 
                             s.category, 
                             p.name as pname 
                         FROM poet p 
                         INNER JOIN song s 
                            ON p.pid = s.pid 
                         WHERE s.name= '$sid'") or die(mysql_error());

What should I do to skip quotes problem in this. When I want quotes to insert in my records.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).

It's 2011, for crying out loud. Why is SQL injection still a widespread problem?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...