Welcome to WebmasterWorld Guest from 54.234.114.182

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Replacing single quotes for sql query

single quotes

     
5:28 pm on Jul 18, 2009 (gmt 0)

Full Member

5+ Year Member

joined:Aug 13, 2007
posts:217
votes: 0


Hi,
I have to store the following text in sql

INSERT INTO `rss_data` (`newsurlid`,`newstitle`) VALUES ('95','Special Ghana site for President Obama's visit')You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's visit')' at line 1

I am getting error because of single quotes; how to solve this and replace the single quotes?

2:30 am on July 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 22, 2005
posts:185
votes: 0


may be?
$newstitle = addslashes($newstitle); 
OR
$newstitle = str_replace("'", ''', $newstitle);
3:45 am on July 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 28, 2006
posts:96
votes: 0


First, read about SQL Injection [us.php.net], because you're vulnerable to it--which means anyone who so desired could nuke your entire database, or worse. Never trust user data.

NomikOS's proposed solutions are incorrect. The first, if it works at all, only works by accident. The second makes an assumption which may not always be true. Neither will fully protect you.

Instead, look at mysqli [us.php.net]. Specifically, prepared statements [us.php.net] are the way to go. They help ensure proper SQL syntax and make avoiding SQL injection far easier.

mysql_real_escape_string [us.php.net] will also work, but it's far too easy to forget or mess up, which is why I suggest using prepared statements.