vote up 0 vote down star

Now when I submit the character ' I get the following error listed below other then that everything is okay when I submit words. I am using htmlentities() and I still get this error.

How can I prevent this error from happening is there a way I can allow or convert or stop the character ' form displaying as an error?

Here is the error I get.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''')'
flag
40% accept rate
@Pascal MARTIN and @Josh Davis both of your answers helped me correct my problem. So I really don't know who to reward so I will let SO decide. – SlapThiS Dec 9 at 18:22

3 Answers

vote up 6 vote down

You need to escape the strings you are sending in your SQL queries.

For that, you can use the mysql_real_escape_string function.

For instance, your code might look like this (not tested, but something like this should do the trick) :

$str = "abcd'efh";
$sql_query = "insert into my_table (my_field) values ('" 
  . mysql_real_escape_string($str)
  . "')";
$result = mysql_query($sql_query);


Another solution (Will require more work, though, as you'll have to change more code) would be to use prepared statements ; either with mysqli_* or PDO -- but not possible with the old mysql_* extension.


Edit : if this doesn't work, can you edit your question, to give us more informations ? Like the piece of code that causes the error ?

link|flag
I am using that as well? still i get this error. – SlapThiS Dec 9 at 18:14
vote up 0 vote down

put your SQL query into a variable e.g.

$query = "SELECT * FROM table WHERE field= ".mysql_real_escape_string($var)."";

echo $query;

$result = mysql_query($query);

you can then inspect what is actually sent to mysql as the query

link|flag
vote up 0 vote down

You have to escape the strings, using the appropriate method. You didn't mention what PHP functions you used so it's hard to guess. You should post the relevant snippet of PHP, but here's a couple of examples:

$text = "x'x";

// MySQL extension
mysql_query($db, "INSERT INTO table VALUES ('" . mysql_real_escape_string($text, $db) . "')");

// MySQLi extension
$db->query("INSERT INTO table VALUES ('" . $db->mysql_real_escape_string($text) . "')");

// PDO's prepared statement
$stmt = $pdo->prepare('INSERT INTO table VALUES (:myvalue)');
$stmt->execute(array(
    'myvalue' => $text
));

// Another example
$stmt = $pdo->prepare(
    'SELECT *
       FROM users
      WHERE first_name = :first
        AND last_name  = :last'
);

$stmt->execute(array(
    'first' => 'John',
    'last'  => 'Smith'
));

foreach ($stmt as $row)
{
    echo $row['user_id'];
}

I strongly recommend using PDO's prepared statements, it's shorter to type and easier to use in the long run.

link|flag
What are PDO's I really never heard of PDO's is there tutorials on PDO's not including php.net which I will be checking in a sec? – SlapThiS Dec 9 at 18:25
Added link to manual and another example for PDO. – Josh Davis Dec 10 at 0:56

Your Answer

Get an OpenID
or

Not the answer you're looking for? Browse other questions tagged or ask your own question.